]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blob - support/nginx/peertube
projects / github / Chocobozzz / PeerTube.git / blob
? search:


25c786a86e04c26edd871e2104e4553852f593f9
[github/Chocobozzz/PeerTube.git] / support / nginx / peertube
1 # Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
2
3 # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
4 #server {
5 # listen 80;
6 # listen [::]:80;
7 # server_name ${WEBSERVER_HOST};
8 #
9 # location /.well-known/acme-challenge/ {
10 # default_type "text/plain";
11 # root /var/www/certbot;
12 # }
13 # location / { return 301 https://$host$request_uri; }
14 #}
15
16 upstream backend {
17 server ${PEERTUBE_HOST};
18 }
19
20 server {
21 listen 443 ssl http2;
22 listen [::]:443 ssl http2;
23 server_name ${WEBSERVER_HOST};
24
25 access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
26 error_log /var/log/nginx/peertube.error.log;
27
28 ##
29 # Certificates
30 # you need a certificate to run in production. see https://letsencrypt.org/
31 ##
32 ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
33 ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
34
35 location ^~ '/.well-known/acme-challenge' {
36 default_type "text/plain";
37 root /var/www/certbot;
38 }
39
40 ##
41 # Security hardening (as of Nov 15, 2020)
42 # based on Mozilla Guideline v5.6
43 ##
44
45 ssl_protocols TLSv1.2 TLSv1.3;
46 ssl_prefer_server_ciphers on;
47 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
48 ssl_session_timeout 1d; # defaults to 5m
49 ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
50 ssl_session_tickets off;
51 ssl_stapling on;
52 ssl_stapling_verify on;
53 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
54 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
55
56 ##
57 # Application
58 ##
59
60 location / {
61 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
62 proxy_set_header Host $host;
63 proxy_set_header X-Real-IP $remote_addr;
64
65 # This is the maximum upload size, which roughly matches the maximum size of a video file
66 # you can send via the API or the web interface. By default this is 8GB, but administrators
67 # can increase or decrease the limit. Currently there's no way to communicate this limit
68 # to users automatically, so you may want to leave a note in your instance 'about' page if
69 # you change this.
70 #
71 # Note that temporary space is needed equal to the total size of all concurrent uploads.
72 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
73 # on a dedicated filesystem.
74 client_max_body_size 8G;
75
76 proxy_connect_timeout 600s;
77 proxy_send_timeout 600s;
78 proxy_read_timeout 600s;
79 send_timeout 600s;
80
81 proxy_pass http://backend;
82 }
83
84 ##
85 # Websocket
86 ##
87
88 location /tracker/socket {
89 proxy_http_version 1.1;
90 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
91 proxy_set_header Host $host;
92 proxy_set_header X-Real-IP $remote_addr;
93 proxy_set_header Upgrade $http_upgrade;
94 proxy_set_header Connection "upgrade";
95
96 # Peers send a message to the tracker every 15 minutes
97 # Don't close the websocket before then
98 proxy_read_timeout 1200s; # default is 60s
99
100 proxy_pass http://backend;
101 }
102
103 location /socket.io {
104 proxy_http_version 1.1;
105 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
106 proxy_set_header Host $host;
107 proxy_set_header X-Real-IP $remote_addr;
108 proxy_set_header Upgrade $http_upgrade;
109 proxy_set_header Connection "upgrade";
110
111 proxy_pass http://backend;
112 }
113
114 ##
115 # Performance optimizations
116 # For extra performance please refer to https://github.com/denji/nginx-tuning
117 ##
118
119 root /var/www/peertube/storage;
120
121 # Enable compression for JS/CSS/HTML, for improved client load times.
122 # It might be nice to compress JSON/XML as returned by the API, but
123 # leaving that out to protect against potential BREACH attack.
124 gzip on;
125 gzip_vary on;
126 gzip_types # text/html is always compressed by HttpGzipModule
127 text/css
128 application/javascript
129 font/truetype
130 font/opentype
131 application/vnd.ms-fontobject
132 image/svg+xml;
133 gzip_min_length 1000; # default is 20 bytes
134 gzip_buffers 16 8k;
135 gzip_comp_level 2; # default is 1
136
137 client_body_timeout 30s; # default is 60
138 client_header_timeout 10s; # default is 60
139 send_timeout 10s; # default is 60
140 keepalive_timeout 10s; # default is 75
141 resolver_timeout 10s; # default is 30
142 reset_timedout_connection on;
143
144 tcp_nopush on; # send headers in one piece
145 tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
146
147 open_file_cache max=2000 inactive=5m; # default is no cache
148 open_file_cache_valid 2m; # default is 60s
149 open_file_cache_min_uses 2; # default is 1
150 open_file_cache_errors on;
151
152 # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
153 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
154 #client_body_temp_path /var/www/peertube/storage/nginx/;
155
156 # Bypass PeerTube for performance reasons. Could be removed
157 # Should be consistent with client-overrides assets list in /server/controllers/client.ts
158 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
159 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
160
161 try_files /client-overrides/$1 $uri;
162 }
163
164 # Bypass PeerTube for performance reasons. Optional.
165 location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
166 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
167
168 alias /var/www/peertube/peertube-latest/client/dist/$1;
169 }
170
171 # Bypass PeerTube for performance reasons. Optional.
172 location ~ ^/static/(thumbnails|avatars)/ {
173 if ($request_method = 'OPTIONS') {
174 add_header 'Access-Control-Allow-Origin' '*';
175 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
176 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
177 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
178 add_header 'Content-Type' 'text/plain charset=UTF-8';
179 add_header 'Content-Length' 0;
180 return 204;
181 }
182
183 add_header 'Access-Control-Allow-Origin' '*';
184 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
185 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
186 add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
187
188 rewrite ^/static/(.*)$ /$1 break;
189
190 try_files $uri /;
191 }
192
193 # Bypass PeerTube for performance reasons. Optional.
194 location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
195 limit_rate_after 5M;
196
197 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
198 set $peertube_limit_rate 800k;
199
200 # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
201 if ($request_uri ~ -fragmented.mp4$) {
202 set $peertube_limit_rate 5M;
203 }
204
205 # Use this line with nginx >= 1.17.0
206 #limit_rate $peertube_limit_rate;
207 # Or this line if your nginx < 1.17.0
208 set $limit_rate $peertube_limit_rate;
209
210 if ($request_method = 'OPTIONS') {
211 add_header 'Access-Control-Allow-Origin' '*';
212 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
213 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
214 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
215 add_header 'Content-Type' 'text/plain charset=UTF-8';
216 add_header 'Content-Length' 0;
217 return 204;
218 }
219
220 if ($request_method = 'GET') {
221 add_header 'Access-Control-Allow-Origin' '*';
222 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
223 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
224
225 # Don't spam access log file with byte range requests
226 access_log off;
227 }
228
229 # Enabling the sendfile directive eliminates the step of copying the data into the buffer
230 # and enables direct copying data from one file descriptor to another.
231 sendfile on;
232 sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
233 aio threads;
234
235 # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
236 # to serve files directly from a public bucket without proxying.
237 # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
238 #set $cdn <your S3-compatiable bucket public url mounted via fuse>;
239 #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
240 #rewrite ^/static/(.*)$ $cdn/$1 redirect;
241 rewrite ^/static/webseed/(.*)$ /videos/$1 break;
242 rewrite ^/static/(.*)$ /$1 break;
243
244 try_files $uri /;
245 }
246 }
ActivityPub-federated video streaming platform using P2P directly in your web browser