PeerTube/support/nginx/peertube

server {
  listen 80;
  listen [::]:80;
  server_name peertube.example.com;

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name peertube.example.com;

  # For example with Let's Encrypt (you need a certificate to run https)
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
  
  # Security hardening (as of 11/02/2018)
  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  
  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/certbot;
  }

  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }

  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/storage/$1/$2;
  }

  location / {
    proxy_pass http://localhost:9000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # For the video upload
    client_max_body_size 2G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;
  }

  # Bypass PeerTube webseed route for better performances
  location /static/webseed {
    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
    limit_rate 800k;

    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }

    if ($request_method = 'GET') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      # Don't spam access log file with byte range requests
      access_log off;
    }

    alias /var/www/peertube/storage/videos;
  }

  # Websocket tracker
  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before this time
    proxy_read_timeout 1200s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://localhost:9000;
  }
}
Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`server {`
			`listen 80;`
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`listen [::]:80;`
			`server_name peertube.example.com;`
Update production guide Use release that already contains build files. It requires a specific directories tree but I think it would be fine. 2018-01-15 17:56:58 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`access_log /var/log/nginx/peertube.example.com.access.log;`
			`error_log /var/log/nginx/peertube.example.com.error.log;`
nginx optimizations 2018-01-18 17:44:13 +01:00
Update production guide Use release that already contains build files. It requires a specific directories tree but I think it would be fine. 2018-01-15 17:56:58 +01:00			`location /.well-known/acme-challenge/ { allow all; }`
			`location / { return 301 https://$host$request_uri; }`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`}`

			`server {`
Remove unused webserver configuration And update nginx configuration with a rate limit 2018-01-11 10:45:06 +01:00			`listen 443 ssl http2;`
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`listen [::]:443 ssl http2;`
			`server_name peertube.example.com;`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`# For example with Let's Encrypt (you need a certificate to run https)`
			`ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;`

			`# Security hardening (as of 11/02/2018)`
			`ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2`
			`ssl_prefer_server_ciphers on;`
			`ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';`
			`ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0`
			`ssl_session_timeout 10m;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_tickets off; # Requires nginx >= 1.5.9`
			`ssl_stapling on; # Requires nginx >= 1.3.7`
			`ssl_stapling_verify on; # Requires nginx => 1.3.7`
			`resolver $DNS-IP-1 $DNS-IP-2 valid=300s;`
			`resolver_timeout 5s;`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header X-Robots-Tag none;`

			`access_log /var/log/nginx/peertube.example.com.access.log;`
			`error_log /var/log/nginx/peertube.example.com.error.log;`
nginx optimizations 2018-01-18 17:44:13 +01:00
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`location ^~ '/.well-known/acme-challenge' {`
			`default_type "text/plain";`
			`root /var/www/certbot;`
			`}`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00
nginx optimizations 2018-01-18 17:44:13 +01:00			`location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {`
			`add_header Cache-Control "public, max-age=31536000, immutable";`

Peertube home in /var/www instead of /home 2018-01-23 09:00:23 +01:00			`alias /var/www/peertube/peertube-latest/client/dist/$1;`
nginx optimizations 2018-01-18 17:44:13 +01:00			`}`

Don't serve previews with nginx We need to maintain a cache in the node process 2018-01-18 18:45:27 +01:00			`location ~ ^/static/(thumbnails\|avatars)/(.*)$ {`
nginx optimizations 2018-01-18 17:44:13 +01:00			`add_header Cache-Control "public, max-age=31536000, immutable";`

Peertube home in /var/www instead of /home 2018-01-23 09:00:23 +01:00			`alias /var/www/peertube/storage/$1/$2;`
nginx optimizations 2018-01-18 17:44:13 +01:00			`}`

Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`location / {`
			`proxy_pass http://localhost:9000;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`

			`# For the video upload`
Increase client_max_body_size in NGinx template 2017-10-17 11:45:53 +02:00			`client_max_body_size 2G;`
Add ability to unfollow a server 2017-11-20 11:19:23 +01:00			`proxy_connect_timeout 600;`
			`proxy_send_timeout 600;`
			`proxy_read_timeout 600;`
Precisions and security enhancements to the production guide (#287) - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent. 2018-02-14 11:11:49 +01:00			`send_timeout 600;`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`}`

			`# Bypass PeerTube webseed route for better performances`
			`location /static/webseed {`
Remove unused webserver configuration And update nginx configuration with a rate limit 2018-01-11 10:45:06 +01:00			`# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client`
			`limit_rate 800k;`

Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`if ($request_method = 'OPTIONS') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';`
			`add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';`
			`add_header 'Access-Control-Max-Age' 1728000;`
			`add_header 'Content-Type' 'text/plain charset=UTF-8';`
			`add_header 'Content-Length' 0;`
			`return 204;`
			`}`

			`if ($request_method = 'GET') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';`
			`add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';`
nginx optimizations 2018-01-18 17:44:13 +01:00
			`# Don't spam access log file with byte range requests`
			`access_log off;`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`}`

Peertube home in /var/www instead of /home 2018-01-23 09:00:23 +01:00			`alias /var/www/peertube/storage/videos;`
Add peertube https nginx template 2016-11-25 14:20:00 +01:00			`}`

			`# Websocket tracker`
			`location /tracker/socket {`
			`# Peers send a message to the tracker every 15 minutes`
			`# Don't close the websocket before this time`
			`proxy_read_timeout 1200s;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_http_version 1.1;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header Host $host;`
			`proxy_pass http://localhost:9000;`
			`}`
			`}`