This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.
This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
A complementary information
ℹ️ we're going to start with a working jail, with network up and access to pkg archive.
ℹ️ if you have a poudriere, DON'T USE IT. It's better to use pre-compiled package in this case.
There is also a tutorial (in french) about how to migrate PostgreSQL to its own jail: https://adminblog.foucry.net//Migrate-postgreSQLDB-Peertube-in-jail/
Read and apply the dependencies instructions.
Please read and apply the instructions provided in dependencies page.
Go to the production page
The main instructions are available in the production page.
Most of the instruction MUST be done before we continue with specific instructions:
- create the peertube user
- create the database
⚠️ the command for knowing the latest available version works with bash, but not with csh, which is the default root shell on FreeBSD. We have to use a different method (changes are very small).
set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest PeerTube version is $VERSION"
Then we use the command to download and extract PeerTube as visible in the production page.
PeerTube configuration
Nothing change in this part, please read the documentation.
Webserver
⚠️ this is the most different part.
The /usr/local/etc/nginx/sites_available and /usr/local/etc/nginx/sites_enabled does not exist by default, we have to create them:
# mkdir /usr/local/etc/nginx/sites_{available,enabled}
Then we copy the sample nginx configuration file exactly as explained in the official documentation.
The certificate problem
We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the let's encrypt certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
Please read the dehydraded documentation in order to generate your PeerTube instance certificate.
ℹ️ I used to use certbot. My configuration is a little bit different from the dehydraded one.
ON THE HOST
We need to create a nginx configuration. I named it peertube-jail.conf and put it in the sites_available folder..
ℹ️ remember to replace example.com by your own FQDN.
ℹ️ remember to replace w.x.y.z by your jail IP address.
server {
# First, as for all webserver, we listen to 80 port
listen 80;
# give our server_name
server_name peertube.example.com;
# create some logfiles
access_log /var/log/nginx/peertube_access.log;
error_log /var/log/nginx/peertube_error.log;
# redirect permantly to https
rewrite ^ https://$server_name/$request_uri permanent;
}
server{
# The https part
listen 443 ssl http2;
# The server-name again
server_name peertube.example.com;
# We use the same log files as below
access_log /var/log/nginx/peertube_access.log;
error_log /var/log/nginx/peertube_error.log;
# We activate the ssl engine and give it the path to the fullchain certificate
# and the private key
ssl on;
ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
# The root location (/) will be redirect
# We add some header and VERY IMPORTANT, the client_max_body_size
# set to 4G (the maximum size PeerTube video)
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://w.x.y.z/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 4G;
}
We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
# We also let the host to deal with the websocket
# and transfer it to the jail on port 9000 (the peertube port)
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before this time
proxy_read_timeout 1200s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://w.x.y.z:9000;
}
}
Save the file, make the link to have it in sites_enabled folder:
# ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
# nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
If it's you can reload nginx configuration:
# nginx -s reload
BACK TO THE JAIL
On the jails we are going to make a lot of changes in the nginx configuration.
- remove all the ssl configuration (line 16 to 34):
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name peertube.example.com;
# For example with certbot (you need a certificate to run https)
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
# Security hardening (as of 11/02/2018)
ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
- remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
# Websocket tracker
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before this time
proxy_read_timeout 1200s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9000;
}
Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
server {
listen 80;
server_name peertube.example.com;
access_log /var/log/nginx/peertube.access.log;
error_log /var/log/nginx/peertube.error.log;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
add_header Cache-Control "public, max-age=31536000, immutable";
alias /var/www/peertube/peertube-latest/client/dist/$1;
}
location ~ ^/static/(thumbnails|avatars)/(.*)$ {
add_header Cache-Control "public, max-age=31536000, immutable";
alias /var/www/peertube/storage/$1/$2;
}
location / {
proxy_pass http://localhost:9000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Hard limit, PeerTube does not support videos > 4GB
client_max_body_size 4G;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
# Bypass PeerTube webseed route for better performances
location /static/webseed {
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
limit_rate 800k;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# Don't spam access log file with byte range requests
access_log off;
}
alias /var/www/peertube/storage/videos;
}
# Websocket tracker
## Moved in host nginx config
}
Last words
Be sure to save and keep your configuration files, a PeerTube update could crush them.
Thanks
Thanks to Chocobozzz who created PeerTube, to Framasoft for being part of PeerTube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
If you find useful this documentation, please make a donation to Framasoft