Interesting idea! You're right, we don't implement that right now. We could consider it, but it's unlikely. For one thing, it'd be very difficult to do over HTTPS; details in #744

Thanks for the answer! I thought that was automatic for any account *.bsky.social. I don't really know how the bluesky system works

I know you mentioned HTTPS, but is there a reason you can't just do a 307/308 redirect when a browser hits that address?

Yeah, HTTPS is the reason. You can't make SSL certs for multi-level wildcard hostnames, eg *.*.*.ap.brid.gy, which we would need.

Ah, I see what you mean there. There is somewhat of a solution there though, but it would also lean into DNS concerns in the other thread.

Letsencrypt (and others? I don't know who else supports their ACME tools) allows wildcard certs off of a DNS query. It wouldn't be instant, but could be handled automatically.

Further to reduce load, given the format of AP names being translated, by making it a wildcard you have one cert per instance rather than per user.

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

True! ...but Let's Encrypt rate limits certs to 50 per week per base domain: https://letsencrypt.org/docs/rate-limits/#limit-1

More importantly, this would be a lot of new complexity to build and maintain just to redirect bridged hostnames to Bluesky profiles. I'm happy to leave this open to track!...but honestly it's probably not likely any time soon.

Honestly that's the kind of thing I figured would be queued up anyways, as in you would bridge and if there was no cert for your domain it would just be added to the queue to eventually get done.

Not going to pretend it's trivial though.

One other consideration comes to mind potentially, for cases of instances owners that approve of the bridge: maybe create an interface/instructions where we can forward our own subdomains to the bridge and potentially handle the https and certificates ourselves?

ie. I create a subdomain wildcard cert for *.bsky.foggyminds.com and add appropriate entries to have bluesky requests go to the bridge, and then on my end I just deploy some nginx or php bits to create redirects for those accessing with their browser?

Not a perfect solution, but a nice way to provide a partial solution and a nice little customization perk. It would just involve a way to tell the bridge that this domain maps to this instance (maybe as little as a TXT record? or maybe just a txt file at the root?), as well as some documentation and some code to handle that translation.

Nevermind finally looked into it enough to realize it really does mandate a single DNS entry per account which is ridiculous...

Also looked up and learned that you already basically do that lol.