PeerTube/support/nginx/peertube

247 lines
9.8 KiB
Plaintext
Raw Normal View History

refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
#server {
# listen 80;
# listen [::]:80;
# server_name ${WEBSERVER_HOST};
#
# location /.well-known/acme-challenge/ {
# default_type "text/plain";
# root /var/www/certbot;
# }
# location / { return 301 https://$host$request_uri; }
#}
2016-11-25 14:20:00 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
upstream backend {
server ${PEERTUBE_HOST};
}
2016-11-25 14:20:00 +01:00
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${WEBSERVER_HOST};
2016-11-25 14:20:00 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
error_log /var/log/nginx/peertube.error.log;
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
2018-02-16 11:04:12 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
2018-02-16 11:04:12 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
##
# Application
##
2018-02-16 11:04:12 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# This is the maximum upload size, which roughly matches the maximum size of a video file
# you can send via the API or the web interface. By default this is 8GB, but administrators
# can increase or decrease the limit. Currently there's no way to communicate this limit
# to users automatically, so you may want to leave a note in your instance 'about' page if
# you change this.
#
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
client_max_body_size 8G;
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
send_timeout 600s;
2018-01-18 17:44:13 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
proxy_pass http://backend;
}
##
# Websocket
##
location /tracker/socket {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before then
proxy_read_timeout 1200s; # default is 60s
proxy_pass http://backend;
}
location /socket.io {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://backend;
}
2016-11-25 14:20:00 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
##
# Performance optimizations
# For extra performance please refer to https://github.com/denji/nginx-tuning
##
root /var/www/peertube/storage;
# Enable compression for JS/CSS/HTML, for improved client load times.
# It might be nice to compress JSON/XML as returned by the API, but
# leaving that out to protect against potential BREACH attack.
gzip on;
gzip_vary on;
gzip_types # text/html is always compressed by HttpGzipModule
text/css
application/javascript
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_min_length 1000; # default is 20 bytes
gzip_buffers 16 8k;
gzip_comp_level 2; # default is 1
client_body_timeout 30s; # default is 60
client_header_timeout 10s; # default is 60
send_timeout 10s; # default is 60
keepalive_timeout 10s; # default is 75
resolver_timeout 10s; # default is 30
reset_timedout_connection on;
tcp_nopush on; # send headers in one piece
tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
open_file_cache max=2000 inactive=5m; # default is no cache
open_file_cache_valid 2m; # default is 60s
open_file_cache_min_uses 2; # default is 1
open_file_cache_errors on;
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
#client_body_temp_path /var/www/peertube/storage/nginx/;
# Bypass PeerTube for performance reasons. Could be removed
# Should be consistent with client-overrides assets list in /server/controllers/client.ts
location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
try_files /client-overrides/$1 $uri;
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Bypass PeerTube for performance reasons. Optional.
2019-07-29 14:58:41 +02:00
location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
2018-01-18 17:44:13 +01:00
alias /var/www/peertube/peertube-latest/client/dist/$1;
2018-01-18 17:44:13 +01:00
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Bypass PeerTube for performance reasons. Optional.
2018-07-24 18:02:23 +02:00
location ~ ^/static/(thumbnails|avatars)/ {
if ($request_method = 'OPTIONS') {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
2018-01-18 17:44:13 +01:00
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
rewrite ^/static/(.*)$ /$1 break;
2018-07-24 18:02:23 +02:00
try_files $uri /;
2018-01-18 17:44:13 +01:00
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
limit_rate_after 5M;
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
set $peertube_limit_rate 800k;
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
if ($request_uri ~ -fragmented.mp4$) {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
set $peertube_limit_rate 5M;
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Use this line with nginx >= 1.17.0
#limit_rate $peertube_limit_rate;
# Or this line if your nginx < 1.17.0
set $limit_rate $peertube_limit_rate;
2016-11-25 14:20:00 +01:00
if ($request_method = 'OPTIONS') {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Allow-Origin' '*';
2016-11-25 14:20:00 +01:00
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
2016-11-25 14:20:00 +01:00
return 204;
}
if ($request_method = 'GET') {
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
add_header 'Access-Control-Allow-Origin' '*';
2016-11-25 14:20:00 +01:00
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
2018-01-18 17:44:13 +01:00
# Don't spam access log file with byte range requests
access_log off;
2016-11-25 14:20:00 +01:00
}
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
# Enabling the sendfile directive eliminates the step of copying the data into the buffer
# and enables direct copying data from one file descriptor to another.
sendfile on;
sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
aio threads;
2018-12-04 17:08:55 +01:00
# Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
# to serve files directly from a public bucket without proxying.
# Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
#set $cdn <your S3-compatiable bucket public url mounted via fuse>;
#rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
#rewrite ^/static/(.*)$ $cdn/$1 redirect;
2018-12-04 17:08:55 +01:00
rewrite ^/static/webseed/(.*)$ /videos/$1 break;
refresh nginx config and optimize delivery (#3313) refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
2020-11-16 19:16:49 +01:00
rewrite ^/static/(.*)$ /$1 break;
2018-12-04 17:08:55 +01:00
try_files $uri /;
2016-11-25 14:20:00 +01:00
}
}