Try to improve production guide

author: Chocobozzz <me@florianbigard.com> 2018-02-16 11:04:12 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-02-16 11:04:12 +0100
commit: 0b4957126899975f603038501337421f84bcb3e4 (patch)
tree: 1bbd2b44b4baa81516c4cfda7f0f119fb26b162c
parent: 63ce5a54f24ec0d184f321e9f46dcda7c0d19325 (diff)
download: PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.gz
PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.zst
PeerTube-0b4957126899975f603038501337421f84bcb3e4.zip
4 files changed, 29 insertions, 160 deletions
diff --git a/client/src/app/app.component.html b/client/src/app/app.component.html
index 3a7aedac6..eda7cc4b6 100644
--- a/client/src/app/app.component.html
+++ b/client/src/app/app.component.html
@@ -28,7 +28,7 @@
      <footer class="row">
        <a href="https://github.com/Chocobozzz/PeerTube" title="PeerTube on Github">PeerTube v{{ serverVersion }}</a> -
-        <a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2017</a>
+        <a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2018</a>
      </footer>
    </div>
  </div>
diff --git a/server/tests/utils/server/clients.ts b/server/tests/utils/server/clients.ts
index a8c5b51c5..273aac747 100644
--- a/server/tests/utils/server/clients.ts
+++ b/server/tests/utils/server/clients.ts
@@ -1,10 +1,12 @@
 import * as request from 'supertest'
+import * as urlUtil from 'url'
 function getClient (url: string) {
  const path = '/api/v1/oauth-clients/local'
  return request(url)
          .get(path)
+          .set('Host', urlUtil.parse(url).host)
          .set('Accept', 'application/json')
          .expect(200)
          .expect('Content-Type', /json/)
diff --git a/support/doc/production.md b/support/doc/production.md
index 06a51dedf..fc2bd460a 100644
--- a/support/doc/production.md
+++ b/support/doc/production.md
@@ -85,139 +85,24 @@ It should correspond to the paths of your storage directories (set in the config
 $ sudo vim /etc/nginx/sites-available/peertube
 ```
-Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):
+Activate the configuration file:
-```
+```
-server {
+$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
-  listen 80;
+```
-  listen [::]:80;
-  server_name peertube.example.com;
+To generate the certificate for your domain as required to make https work you can use [Let's Encrypt](https://letsencrypt.org/):
-  access_log /var/log/nginx/peertube.example.com.access.log;
+```
-  error_log /var/log/nginx/peertube.example.com.error.log;
+$ sudo systemctl stop nginx
+$ sudo certbot --authenticator standalone --installer nginx --post-hook "systemctl start nginx"
-  rewrite ^ https://$server_name$request_uri? permanent;
-}
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name peertube.example.com;
-  # For example with Let's Encrypt (you need a certificate to run https)
-  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  
-  # Security hardening (as of 11/02/2018)
-  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-  ssl_prefer_server_ciphers on;
-  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-  ssl_session_timeout  10m;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_tickets off; # Requires nginx >= 1.5.9
-  ssl_stapling on; # Requires nginx >= 1.3.7
-  ssl_stapling_verify on; # Requires nginx => 1.3.7
-  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
-  resolver_timeout 5s;
-  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-  add_header X-Frame-Options DENY;
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header X-Robots-Tag none;
-  
-  access_log /var/log/nginx/peertube.example.com.access.log;
-  error_log /var/log/nginx/peertube.example.com.error.log;
-  location ^~ '/.well-known/acme-challenge' {
-    default_type "text/plain";
-    root /var/www/certbot;
-  }
-  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
-    add_header Cache-Control "public, max-age=31536000, immutable";
-    alias /var/www/peertube/peertube-latest/client/dist/$1;
-  }
-  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
-    add_header Cache-Control "public, max-age=31536000, immutable";
-    alias /var/www/peertube/storage/$1/$2;
-  }
-  location / {
-    proxy_pass http://localhost:9000;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    # For the video upload
-    client_max_body_size 2G;
-    proxy_connect_timeout       600;
-    proxy_send_timeout          600;
-    proxy_read_timeout          600;
-    send_timeout                600;
-  }
-  # Bypass PeerTube webseed route for better performances
-  location /static/webseed {
-    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
-    limit_rate 800k;
-    
-    if ($request_method = 'OPTIONS') {
-      add_header 'Access-Control-Allow-Origin' '*';
-      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
-      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-      add_header 'Access-Control-Max-Age' 1728000;
-      add_header 'Content-Type' 'text/plain charset=UTF-8';
-      add_header 'Content-Length' 0;
-      return 204;
-    }
-    if ($request_method = 'GET') {
-      add_header 'Access-Control-Allow-Origin' '*';
-      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
-      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-      # Don't spam access log file with byte range requests
-      access_log off;
-    }
-    alias /var/www/peertube/storage/videos;
-  }
-  # Websocket tracker
-  location /tracker/socket {
-    # Peers send a message to the tracker every 15 minutes
-    # Don't close the websocket before this time
-    proxy_read_timeout 1200s;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_http_version 1.1;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_pass http://localhost:9000;
-  }
-}
-```
-To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
-```
-$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
-```
-```
-$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
 ```
 Remember your certificate will expire in 90 days, and thus needs renewal.
-Activate the configuration file:
+Now you have the certificates you can reload nginx:
 ```
-$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
 $ sudo systemctl reload nginx
 ```
@@ -235,30 +120,6 @@ Update the service file:
 $ sudo vim /etc/systemd/system/peertube.service
 ```
-It should look like this:
-```
-[Unit]
-Description=PeerTube daemon
-After=network.target
-[Service]
-Type=simple
-Environment=NODE_ENV=production
-Environment=NODE_CONFIG_DIR=/var/www/peertube/config
-User=peertube
-Group=peertube
-ExecStart=/usr/bin/npm start
-WorkingDirectory=/var/www/peertube/peertube-latest
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier=peertube
-Restart=always
-[Install]
-WantedBy=multi-user.target
-```
 Tell systemd to reload its config:
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 6a076a8f8..1aa6108cc 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;
-  location /.well-known/acme-challenge/ { allow all; }
+  location /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
  location / { return 301 https://$host$request_uri; }
 }
@@ -15,12 +18,12 @@ server {
  listen [::]:443 ssl http2;
  server_name peertube.example.com;
-  # For example with Let's Encrypt (you need a certificate to run https)
+  # For example with certbot (you need a certificate to run https)
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  
  # Security hardening (as of 11/02/2018)
-  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
+  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
-  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
-  resolver_timeout 5s;
+  # Configure with your resolvers
+  # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  # resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    # For the video upload
+    # Hard limit, PeerTube does not support videos > 4GB
-    client_max_body_size 2G;
+    client_max_body_size 4G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
author	Chocobozzz <me@florianbigard.com>	2018-02-16 11:04:12 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-02-16 11:04:12 +0100
commit	0b4957126899975f603038501337421f84bcb3e4 (patch)
tree	1bbd2b44b4baa81516c4cfda7f0f119fb26b162c
parent	63ce5a54f24ec0d184f321e9f46dcda7c0d19325 (diff)
download	PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.gz PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.zst PeerTube-0b4957126899975f603038501337421f84bcb3e4.zip

diff --git a/client/src/app/app.component.html b/client/src/app/app.component.html index 3a7aedac6..eda7cc4b6 100644 --- a/client/src/app/app.component.html +++ b/client/src/app/app.component.html
@@ -28,7 +28,7 @@
28		28
29	<footer class="row">	29	<footer class="row">
30	<a href="https://github.com/Chocobozzz/PeerTube" title="PeerTube on Github">PeerTube v{{ serverVersion }}</a> -	30	<a href="https://github.com/Chocobozzz/PeerTube" title="PeerTube on Github">PeerTube v{{ serverVersion }}</a> -
31	<a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2017</a>	31	<a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2018</a>
32	</footer>	32	</footer>
33	</div>	33	</div>
34	</div>	34	</div>


diff --git a/server/tests/utils/server/clients.ts b/server/tests/utils/server/clients.ts index a8c5b51c5..273aac747 100644 --- a/server/tests/utils/server/clients.ts +++ b/server/tests/utils/server/clients.ts
@@ -1,10 +1,12 @@
1	import * as request from 'supertest'	1	import * as request from 'supertest'
		2	import * as urlUtil from 'url'
2		3
3	function getClient (url: string) {	4	function getClient (url: string) {
4	const path = '/api/v1/oauth-clients/local'	5	const path = '/api/v1/oauth-clients/local'
5		6
6	return request(url)	7	return request(url)
7	.get(path)	8	.get(path)
		9	.set('Host', urlUtil.parse(url).host)
8	.set('Accept', 'application/json')	10	.set('Accept', 'application/json')
9	.expect(200)	11	.expect(200)
10	.expect('Content-Type', /json/)	12	.expect('Content-Type', /json/)


diff --git a/support/doc/production.md b/support/doc/production.md index 06a51dedf..fc2bd460a 100644 --- a/support/doc/production.md +++ b/support/doc/production.md
@@ -85,139 +85,24 @@ It should correspond to the paths of your storage directories (set in the config
85	$ sudo vim /etc/nginx/sites-available/peertube	85	$ sudo vim /etc/nginx/sites-available/peertube
86	```	86	```
87		87
88	Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):	88	Activate the configuration file:
89		89
90	```	90	```
91	server {	91	$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
92	listen 80;	92	```
93	listen [::]:80;	93
94	server_name peertube.example.com;	94	To generate the certificate for your domain as required to make https work you can use [Let's Encrypt](https://letsencrypt.org/):
95		95
96	access_log /var/log/nginx/peertube.example.com.access.log;	96	```
97	error_log /var/log/nginx/peertube.example.com.error.log;	97	$ sudo systemctl stop nginx
98		98	$ sudo certbot --authenticator standalone --installer nginx --post-hook "systemctl start nginx"
99	rewrite ^ https://$server_name$request_uri? permanent;
100	}
101
102	server {
103	listen 443 ssl http2;
104	listen [::]:443 ssl http2;
105	server_name peertube.example.com;
106
107	# For example with Let's Encrypt (you need a certificate to run https)
108	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
109	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
110
111	# Security hardening (as of 11/02/2018)
112	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
113	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
114	ssl_prefer_server_ciphers on;
115	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
116	ssl_session_timeout 10m;
117	ssl_session_cache shared:SSL:10m;
118	ssl_session_tickets off; # Requires nginx >= 1.5.9
119	ssl_stapling on; # Requires nginx >= 1.3.7
120	ssl_stapling_verify on; # Requires nginx => 1.3.7
121	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
122	resolver_timeout 5s;
123	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
124	add_header X-Frame-Options DENY;
125	add_header X-Content-Type-Options nosniff;
126	add_header X-XSS-Protection "1; mode=block";
127	add_header X-Robots-Tag none;
128
129	access_log /var/log/nginx/peertube.example.com.access.log;
130	error_log /var/log/nginx/peertube.example.com.error.log;
131
132	location ^~ '/.well-known/acme-challenge' {
133	default_type "text/plain";
134	root /var/www/certbot;
135	}
136
137	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {
138	add_header Cache-Control "public, max-age=31536000, immutable";
139
140	alias /var/www/peertube/peertube-latest/client/dist/$1;
141	}
142
143	location ~ ^/static/(thumbnails\|avatars)/(.*)$ {
144	add_header Cache-Control "public, max-age=31536000, immutable";
145
146	alias /var/www/peertube/storage/$1/$2;
147	}
148
149	location / {
150	proxy_pass http://localhost:9000;
151	proxy_set_header X-Real-IP $remote_addr;
152	proxy_set_header Host $host;
153	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
154
155	# For the video upload
156	client_max_body_size 2G;
157	proxy_connect_timeout 600;
158	proxy_send_timeout 600;
159	proxy_read_timeout 600;
160	send_timeout 600;
161	}
162
163	# Bypass PeerTube webseed route for better performances
164	location /static/webseed {
165	# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
166	limit_rate 800k;
167
168	if ($request_method = 'OPTIONS') {
169	add_header 'Access-Control-Allow-Origin' '*';
170	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
171	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
172	add_header 'Access-Control-Max-Age' 1728000;
173	add_header 'Content-Type' 'text/plain charset=UTF-8';
174	add_header 'Content-Length' 0;
175	return 204;
176	}
177
178	if ($request_method = 'GET') {
179	add_header 'Access-Control-Allow-Origin' '*';
180	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
181	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
182
183	# Don't spam access log file with byte range requests
184	access_log off;
185	}
186
187	alias /var/www/peertube/storage/videos;
188	}
189
190	# Websocket tracker
191	location /tracker/socket {
192	# Peers send a message to the tracker every 15 minutes
193	# Don't close the websocket before this time
194	proxy_read_timeout 1200s;
195	proxy_set_header Upgrade $http_upgrade;
196	proxy_set_header Connection "upgrade";
197	proxy_http_version 1.1;
198	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
199	proxy_set_header Host $host;
200	proxy_pass http://localhost:9000;
201	}
202	}
203	```
204
205	To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
206
207	```
208	$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
209	```
210
211	```
212	$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
213	```	99	```
214		100
215	Remember your certificate will expire in 90 days, and thus needs renewal.	101	Remember your certificate will expire in 90 days, and thus needs renewal.
216		102
217	Activate the configuration file:	103	Now you have the certificates you can reload nginx:
218		104
219	```	105	```
220	$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
221	$ sudo systemctl reload nginx	106	$ sudo systemctl reload nginx
222	```	107	```
223		108
@@ -235,30 +120,6 @@ Update the service file:
235	$ sudo vim /etc/systemd/system/peertube.service	120	$ sudo vim /etc/systemd/system/peertube.service
236	```	121	```
237		122
238	It should look like this:
239
240	```
241	[Unit]
242	Description=PeerTube daemon
243	After=network.target
244
245	[Service]
246	Type=simple
247	Environment=NODE_ENV=production
248	Environment=NODE_CONFIG_DIR=/var/www/peertube/config
249	User=peertube
250	Group=peertube
251	ExecStart=/usr/bin/npm start
252	WorkingDirectory=/var/www/peertube/peertube-latest
253	StandardOutput=syslog
254	StandardError=syslog
255	SyslogIdentifier=peertube
256	Restart=always
257
258	[Install]
259	WantedBy=multi-user.target
260	```
261
262		123
263	Tell systemd to reload its config:	124	Tell systemd to reload its config:
264		125


diff --git a/support/nginx/peertube b/support/nginx/peertube index 6a076a8f8..1aa6108cc 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
6	access_log /var/log/nginx/peertube.example.com.access.log;	6	access_log /var/log/nginx/peertube.example.com.access.log;
7	error_log /var/log/nginx/peertube.example.com.error.log;	7	error_log /var/log/nginx/peertube.example.com.error.log;
8		8
9	location /.well-known/acme-challenge/ { allow all; }	9	location /.well-known/acme-challenge/ {
		10	default_type "text/plain";
		11	root /var/www/certbot;
		12	}
10	location / { return 301 https://$host$request_uri; }	13	location / { return 301 https://$host$request_uri; }
11	}	14	}
12		15
@@ -15,12 +18,12 @@ server {
15	listen [::]:443 ssl http2;	18	listen [::]:443 ssl http2;
16	server_name peertube.example.com;	19	server_name peertube.example.com;
17		20
18	# For example with Let's Encrypt (you need a certificate to run https)	21	# For example with certbot (you need a certificate to run https)
19	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;	22	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;	23	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21		24
22	# Security hardening (as of 11/02/2018)	25	# Security hardening (as of 11/02/2018)
23	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2	26	ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
24	ssl_prefer_server_ciphers on;	27	ssl_prefer_server_ciphers on;
25	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';	28	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
26	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0	29	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
29	ssl_session_tickets off; # Requires nginx >= 1.5.9	32	ssl_session_tickets off; # Requires nginx >= 1.5.9
30	ssl_stapling on; # Requires nginx >= 1.3.7	33	ssl_stapling on; # Requires nginx >= 1.3.7
31	ssl_stapling_verify on; # Requires nginx => 1.3.7	34	ssl_stapling_verify on; # Requires nginx => 1.3.7
32	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;	35
33	resolver_timeout 5s;	36	# Configure with your resolvers
		37	# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
		38	# resolver_timeout 5s;
		39
34	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";	40	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
35	add_header X-Frame-Options DENY;	41	add_header X-Frame-Options DENY;
36	add_header X-Content-Type-Options nosniff;	42	add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
63	proxy_set_header Host $host;	69	proxy_set_header Host $host;
64	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;	70	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
65		71
66	# For the video upload	72	# Hard limit, PeerTube does not support videos > 4GB
67	client_max_body_size 2G;	73	client_max_body_size 4G;
68	proxy_connect_timeout 600;	74	proxy_connect_timeout 600;
69	proxy_send_timeout 600;	75	proxy_send_timeout 600;
70	proxy_read_timeout 600;	76	proxy_read_timeout 600;