Don't cache embed HTML file

[github/Chocobozzz/PeerTube.git] / support / nginx / peertube
diff --git a/support/nginx/peertube b/support/nginx/peertube

index aca9857858ea459b02eb1fa103faebfe69052db7..a17868c5a6563c32adcb2d1779459effca5b57d8 100644 (file)
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -25,13 +25,16 @@ server {
    # Security hardening (as of 11/02/2018)
    ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
    ssl_prefer_server_ciphers on;
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  # Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA';
    # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
+  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
  
    # Configure with your resolvers
    # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
@@ -44,11 +47,9 @@ server {
    gzip_types text/css application/javascript;
    gzip_vary on;
  
-  # Enable HSTS
-  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
-  # version. Once a browser sees this header, it will only visit the site over
-  # HTTPS for the next 2 years: (read more on hstspreload.org)
-  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  # client_body_temp_path /var/www/peertube/storage/nginx/;
  
    access_log /var/log/nginx/peertube.example.com.access.log;
    error_log /var/log/nginx/peertube.example.com.error.log;
@@ -91,7 +92,7 @@ server {
    }
  
    location / {
-    proxy_pass http://localhost:9000;
+    proxy_pass http://127.0.0.1:9000;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -115,9 +116,20 @@ server {
    }
  
    # Bypass PeerTube for performance reasons. Could be removed
-  location ~ ^/static/(webseed|redundancy)/ {
+  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
      # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
-    limit_rate 800k;
+    set $peertube_limit_rate 800k;
+
+    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
+    if ($request_uri ~ -fragmented.mp4$) {
+      set $peertube_limit_rate 5000k;
+    }
+
+    # Use this with nginx >= 1.17.0
+    # limit_rate $peertube_limit_rate;
+    # Or this if your nginx < 1.17.0
+    set $limit_rate $peertube_limit_rate;
+    limit_rate_after 5000k;
  
      if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
@@ -140,8 +152,17 @@ server {
  
      root /var/www/peertube/storage;
  
+    # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
+    # to serve files directly from a public bucket without proxying.
+    # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
+    #set $cdn <your S3-compatiable bucket public url mounted via fuse>;
+    #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
+    #rewrite ^/static/redundancy/(.*)$ $cdn/redundancy/$1 redirect;
+    #rewrite ^/static/streaming-playlists/(.*)$ $cdn/streaming-playlists/$1 redirect;
+
      rewrite ^/static/webseed/(.*)$ /videos/$1 break;
      rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
+    rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
  
      try_files $uri /;
    }
@@ -156,14 +177,14 @@ server {
      proxy_http_version 1.1;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;
-    proxy_pass http://localhost:9000;
+    proxy_pass http://127.0.0.1:9000;
    }
  
    location /socket.io {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;
  
-    proxy_pass http://localhost:9000;
+    proxy_pass http://127.0.0.1:9000;
  
      # enable WebSockets
      proxy_http_version 1.1;