OpenCloud
/
PeerTube
mirror of https://github.com/Chocobozzz/PeerTube
1
0
Fork 0
Code Issues Releases Wiki Activity
PeerTube/support/nginx/peertube

191 lines
7.4 KiB
Plaintext
Raw Normal View History

Add peertube https nginx template
2016-11-25 14:20:00 +01:00
server {
listen 80;
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
listen [::]:80;
server_name peertube.example.com;
Update production guide Use release that already contains build files. It requires a specific directories tree but I think it would be fine.
2018-01-15 17:56:58 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
access_log /var/log/nginx/peertube.example.com.access.log;
error_log /var/log/nginx/peertube.example.com.error.log;
nginx optimizations
2018-01-18 17:44:13 +01:00
Try to improve production guide
2018-02-16 11:04:12 +01:00
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
}
Update production guide Use release that already contains build files. It requires a specific directories tree but I think it would be fine.
2018-01-15 17:56:58 +01:00
location / { return 301 https://$host$request_uri; }
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}
server {
Remove unused webserver configuration And update nginx configuration with a rate limit
2018-01-11 10:45:06 +01:00
listen 443 ssl http2;
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
listen [::]:443 ssl http2;
server_name peertube.example.com;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
Try to improve production guide
2018-02-16 11:04:12 +01:00
# For example with certbot (you need a certificate to run https)
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
Try to improve production guide
2018-02-16 11:04:12 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
# Security hardening (as of 11/02/2018)
Try to improve production guide
2018-02-16 11:04:12 +01:00
ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
ssl_prefer_server_ciphers on;
Update nginx cipher to the one we use on framatube
2019-12-13 17:00:54 +01:00
# Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA';
Fix nginx configuration that do not work with import-videos script
2018-03-01 17:14:57 +01:00
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
Try to improve production guide
2018-02-16 11:04:12 +01:00
# Configure with your resolvers
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
# resolver_timeout 5s;
Only enable gzip for HTML/CSS/JS No compression on JSON endpoints, in order to protect from potential compression+encryption data leak attacks (like BREACH)
2018-08-23 21:12:08 +02:00
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
Add gzip support to the sample nginx configuration Without gzip explicitly enabled, load times suffer from transferring over a megabyte of plaintext javascript. With gzip enabled, the bundle is down to about 300K, and loads much faster. This change does not enable gzip on files that are already compressed, so images, fonts, and videos will be sent without the CPU overhead.
2018-08-22 23:34:41 +02:00
gzip on;
Nginx config file: remove text/html from gzip_types As stated by https://nginx.org/en/docs/http/ngx_http_gzip_module.html, text/html is always part of the gzip_types. This removes a warning when checking the Nginx configuration files.
2019-02-10 21:36:41 +01:00
gzip_types text/css application/javascript;
Add gzip support to the sample nginx configuration Without gzip explicitly enabled, load times suffer from transferring over a megabyte of plaintext javascript. With gzip enabled, the bundle is down to about 300K, and loads much faster. This change does not enable gzip on files that are already compressed, so images, fonts, and videos will be sent without the CPU overhead.
2018-08-22 23:34:41 +02:00
gzip_vary on;
Add client_body_temp_path hint in nginx template
2019-12-05 11:25:00 +01:00
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
# client_body_temp_path /var/www/peertube/storage/nginx/;
make HSTS opt-in and leave it to the reverse-proxy
2018-09-09 22:10:38 +02:00
# Enable HSTS
# Tells browsers to stick with HTTPS and never visit the insecure HTTP
# version. Once a browser sees this header, it will only visit the site over
# HTTPS for the next 2 years: (read more on hstspreload.org)
Don't include `preload` flag in sample HSTS header This goes against the recommendations (preloading should be opt-in). Putting it in the example makes it likely that people enable it without knowing what it means. https://hstspreload.org/?domain=peertube.social#opt-in
2018-09-11 20:04:49 +02:00
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
Increase upload limit to 8GB (test)
2018-06-29 15:47:15 +02:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
access_log /var/log/nginx/peertube.example.com.access.log;
error_log /var/log/nginx/peertube.example.com.error.log;
nginx optimizations
2018-01-18 17:44:13 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
Add comments in nginx regarding blocks that can be safely removed
2018-09-17 15:45:17 +02:00
# Bypass PeerTube for performance reasons. Could be removed
Improve nginx client images cache
2019-07-29 14:58:41 +02:00
location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
nginx optimizations
2018-01-18 17:44:13 +01:00
add_header Cache-Control "public, max-age=31536000, immutable";
Peertube home in /var/www instead of /home
2018-01-23 09:00:23 +01:00
alias /var/www/peertube/peertube-latest/client/dist/$1;
nginx optimizations
2018-01-18 17:44:13 +01:00
}
Add comments in nginx regarding blocks that can be safely removed
2018-09-17 15:45:17 +02:00
# Bypass PeerTube for performance reasons. Could be removed
404 on unknown thumbnail
2018-07-24 18:02:23 +02:00
location ~ ^/static/(thumbnails|avatars)/ {
Add cors to static route in nginx template
2018-07-24 16:44:46 +02:00
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
404 on unknown thumbnail
2018-07-24 18:02:23 +02:00
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
Add cors to static route in nginx template
2018-07-24 16:44:46 +02:00
Fix static avatars/thumbnails cache
2018-07-17 19:04:41 +02:00
# Cache 2 hours
add_header Cache-Control "public, max-age=7200";
nginx optimizations
2018-01-18 17:44:13 +01:00
404 on unknown thumbnail
2018-07-24 18:02:23 +02:00
root /var/www/peertube/storage;
rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
try_files $uri /;
nginx optimizations
2018-01-18 17:44:13 +01:00
}
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
location / {
Fix nginx template on dual stack server See https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348
2019-08-07 15:13:01 +02:00
proxy_pass http://127.0.0.1:9000;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Remove hard-coded 8GB upload limit in client (#1293) * Remove hard-coded 8GB upload limit in client Ideally we'd know what the specific server's configured upload limit is before starting, but this 8GB limit is not useful if an administrator has changed the nginx post limit on the server. * Better docs for admins about client_max_body_size Seems like some admins already tweak this value up or down to allow for different maximum video upload sizes. The current codebase has no other server-side limits that I'm aware of, and I've been routinely uploading quite large videos to my instance. This patch replaces the somewhat incorrect (or outdated?) 'hard limit' comment with some advice about allocating enough space for nginx and communicating the limit with your users. Of course it would be better if this configuration could be unified with PeerTube's config somehow. I'm not sure whether the best option there is to turn off nginx's buffering here and let PeerTube handle the entire upload (can we do this only for the video upload API endpoint?) or whether we want PeerTube to generate nginx configs in a more automated way layer. In any case, this patch is intended as an incremental improvement.
2018-12-07 14:58:17 +01:00
# This is the maximum upload size, which roughly matches the maximum size of a video file
# you can send via the API or the web interface. By default this is 8GB, but administrators
# can increase or decrease the limit. Currently there's no way to communicate this limit
# to users automatically, so you may want to leave a note in your instance 'about' page if
# you change this.
#
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
#
Increase upload limit to 8GB (test)
2018-06-29 15:47:15 +02:00
client_max_body_size 8G;
Remove hard-coded 8GB upload limit in client (#1293) * Remove hard-coded 8GB upload limit in client Ideally we'd know what the specific server's configured upload limit is before starting, but this 8GB limit is not useful if an administrator has changed the nginx post limit on the server. * Better docs for admins about client_max_body_size Seems like some admins already tweak this value up or down to allow for different maximum video upload sizes. The current codebase has no other server-side limits that I'm aware of, and I've been routinely uploading quite large videos to my instance. This patch replaces the somewhat incorrect (or outdated?) 'hard limit' comment with some advice about allocating enough space for nginx and communicating the limit with your users. Of course it would be better if this configuration could be unified with PeerTube's config somehow. I'm not sure whether the best option there is to turn off nginx's buffering here and let PeerTube handle the entire upload (can we do this only for the video upload API endpoint?) or whether we want PeerTube to generate nginx configs in a more automated way layer. In any case, this patch is intended as an incremental improvement.
2018-12-07 14:58:17 +01:00
Add ability to unfollow a server
2017-11-20 11:19:23 +01:00
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
2018-02-14 11:11:49 +01:00
send_timeout 600;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}
Add comments in nginx regarding blocks that can be safely removed
2018-09-17 15:45:17 +02:00
# Bypass PeerTube for performance reasons. Could be removed
Add streaming playlists endpoint in nginx
2019-12-10 12:11:20 +01:00
location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
Fix nginx config CORS headers were removed. See https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
2019-12-10 16:39:22 +01:00
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
set $peertube_limit_rate 800k;
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
if ($request_uri ~ -fragmented.mp4$) {
set $peertube_limit_rate 5000k;
}
# Use this with nginx >= 1.17.0
# limit_rate $peertube_limit_rate;
# Or this if your nginx < 1.17.0
set $limit_rate $peertube_limit_rate;
limit_rate_after 5000k;
Remove unused webserver configuration And update nginx configuration with a rate limit
2018-01-11 10:45:06 +01:00
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
nginx optimizations
2018-01-18 17:44:13 +01:00
# Don't spam access log file with byte range requests
access_log off;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}
Create redundancy endpoint
2018-12-04 17:08:55 +01:00
root /var/www/peertube/storage;
rewrite ^/static/webseed/(.*)$ /videos/$1 break;
rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
Add streaming playlists endpoint in nginx
2019-12-10 12:11:20 +01:00
rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
Create redundancy endpoint
2018-12-04 17:08:55 +01:00
try_files $uri /;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}
# Websocket tracker
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before this time
proxy_read_timeout 1200s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
Fix nginx template on dual stack server See https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348
2019-08-07 15:13:01 +02:00
proxy_pass http://127.0.0.1:9000;
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}
Support socket.io in nginx template
2019-01-29 09:10:24 +01:00
location /socket.io {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
Fix nginx template on dual stack server See https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348
2019-08-07 15:13:01 +02:00
proxy_pass http://127.0.0.1:9000;
Support socket.io in nginx template
2019-01-29 09:10:24 +01:00
# enable WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Add peertube https nginx template
2016-11-25 14:20:00 +01:00
}