Replace `[peertube-domain]` with the domain for the peertube server.
```
-$ sudo sed -i 's/peertube.example.com/[peertube-domain]/g' /etc/nginx/sites-available/peertube
+$ sudo sed -i 's/${WEBSERVER_HOST}/[peertube-domain]/g' /etc/nginx/sites-available/peertube
+$ sudo sed -i 's/${PEERTUBE_HOST}/localhost:9000/g' /etc/nginx/sites-available/peertube
```
Then modify the webserver configuration file. Please pay attention to the `alias` keys of the static locations.
VOLUME /data
VOLUME /config
-COPY ./support/docker/production/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+COPY ./support/docker/production/entrypoint.sh /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
# Run the application
CMD ["npm", "start"]
--- /dev/null
+FROM nginx:alpine
+
+COPY entrypoint.nginx.sh .
+RUN chmod +x entrypoint.nginx.sh
+
+EXPOSE 80
+ENTRYPOINT []
+CMD ["/bin/sh", "entrypoint.nginx.sh"]
\ No newline at end of file
#
# Required
#
- entryPoint = "http"
+ entryPoint = "http"
\ No newline at end of file
services:
+ # The reverse-proxy only does SSL termination and automatic certificate generation. You can
+ # replace it with any other reverse-proxy, in which case you can remove 'traefik.*' labels.
reverse-proxy:
image: traefik:v1.7
network_mode: "host"
command:
- - "--docker" # Tells Træfik to listen to docker
- - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
- - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
+ - "--docker" # Tells Træfik to listen to docker
+ - "--acme.email=${TRAEFIK_ACME_EMAIL}" # Let's Encrypt ACME email
+ - "--acme.domains=${TRAEFIK_ACME_DOMAINS}" # Let's Encrypt ACME domain list
ports:
- - "80:80" # The HTTP port
- - "443:443" # The HTTPS port
+ - "80:80" # The HTTP port
+ - "443:443" # The HTTPS port
volumes:
- - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+ - /var/run/docker.sock:/var/run/docker.sock # So that Træfik can listen to the Docker events
- ./docker-volume/traefik/acme.json:/etc/acme.json
- ./docker-volume/traefik/traefik.toml:/traefik.toml
restart: "always"
- # If you want to use the Traefik dashboard, you should expose it on a
- # subdomain with HTTPS and authentification:
- # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
- # https://github.com/containous/traefik/issues/880#issuecomment-310301168
- peertube:
- # If you don't want to use the official image and build one from sources
- # build:
- # context: .
- # dockerfile: ./support/docker/production/Dockerfile.buster
- image: chocobozzz/peertube:production-buster
+ # The webserver is not required, but recommended since a lot of optimizations went to its
+ # nginx configuration file. It runs the default nginx configuration without HTTPS nor SSL,
+ # so use it in production in tandem with an SSL-terminating reverse-proxy like above.
+ webserver:
+ build:
+ context: .
+ dockerfile: Dockerfile.nginx
env_file:
- .env
- # Traefik labels are suggested as an example for people using Traefik,
- # remove them if you are using another reverse proxy.
+ # If you provide your own reverse-proxy, otherwise not suitable for production:
+ #ports:
+ # - "80:80"
+ volumes:
+ - type: bind
+ # Switch sources if you downloaded the nginx configuration without the whole repository
+ #source: ./peertube
+ source: ../../nginx/peertube
+ target: /etc/nginx/conf.d/peertube.template
+ - assets:/var/www/peertube/peertube-latest/client/dist:ro
+ - ./docker-volume/data:/var/www/peertube/storage
+ depends_on:
+ - peertube
+ restart: "always"
labels:
traefik.enable: "true"
traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
- traefik.port: "9000"
- # If you don't want to use a reverse proxy (not suitable for production!)
- # ports:
- # - "80:9000"
+ traefik.port: "80"
+
+ peertube:
+ # If you don't want to use the official image and build one from sources:
+ #build:
+ # context: .
+ # dockerfile: ./support/docker/production/Dockerfile.buster
+ image: chocobozzz/peertube:production-buster
+ env_file:
+ - .env
+ # If you provide your own webserver and reverse-proxy, otherwise not suitable for production:
+ #ports:
+ # - "80:9000"
volumes:
+ - assets:/app/client/dist
- ./docker-volume/data:/data
- ./docker-volume/config:/config
depends_on:
- redis
- postfix
restart: "always"
+ labels:
+ traefik.enable: "false"
postgres:
image: postgres:10-alpine
traefik.enable: "false"
redis:
- image: redis:4-alpine
+ image: redis:5-alpine
volumes:
- ./docker-volume/redis:/data
restart: "always"
driver: default
config:
- subnet: 172.18.0.0/16
+
+volumes:
+ assets:
--- /dev/null
+#!/bin/sh
+set -e
+
+# Process nginx template
+SOURCE="/etc/nginx/conf.d/peertube.template"
+TARGET="/etc/nginx/conf.d/default.conf"
+export WEBSERVER_HOST="default_server"
+export PEERTUBE_HOST="peertube:9000"
+
+envsubst '${WEBSERVER_HOST} ${PEERTUBE_HOST}' < $SOURCE > $TARGET
+
+# Remove HTTPS/SSL from nginx conf
+sed -i 's/443 ssl http2/80/g;/ssl_/d' $TARGET
+
+cat $TARGET
+
+nginx -g "daemon off;"
\ No newline at end of file
-server {
- listen 80;
- listen [::]:80;
- server_name peertube.example.com;
-
- access_log /var/log/nginx/peertube.example.com.access.log;
- error_log /var/log/nginx/peertube.example.com.error.log;
-
- location /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/certbot;
- }
- location / { return 301 https://$host$request_uri; }
-}
+# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
+#server {
+# listen 80;
+# listen [::]:80;
+# server_name ${WEBSERVER_HOST};
+#
+# location /.well-known/acme-challenge/ {
+# default_type "text/plain";
+# root /var/www/certbot;
+# }
+# location / { return 301 https://$host$request_uri; }
+#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
- server_name peertube.example.com;
+ server_name ${WEBSERVER_HOST};
# For example with certbot (you need a certificate to run https)
- ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
# Security hardening (as of 11/02/2018)
ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
# client_body_temp_path /var/www/peertube/storage/nginx/;
- access_log /var/log/nginx/peertube.example.com.access.log;
- error_log /var/log/nginx/peertube.example.com.error.log;
+ access_log /var/log/nginx/${WEBSERVER_HOST}.access.log;
+ error_log /var/log/nginx/${WEBSERVER_HOST}.error.log;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
}
location / {
- proxy_pass http://127.0.0.1:9000;
+ proxy_pass http://${PEERTUBE_HOST};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
- proxy_pass http://127.0.0.1:9000;
+ proxy_pass http://${PEERTUBE_HOST};
}
location /socket.io {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
- proxy_pass http://127.0.0.1:9000;
+ proxy_pass http://${PEERTUBE_HOST};
# enable WebSockets
proxy_http_version 1.1;
projects / github / Chocobozzz / PeerTube.git / commitdiff
