aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRigel Kent <sendmemail@rigelk.eu>2020-11-22 16:10:09 +0100
committerRigel Kent <sendmemail@rigelk.eu>2020-11-23 10:03:48 +0100
commitb2aecc1ecbed7449b9486812c573993b4582a267 (patch)
tree104f864c8953dc2acd5abaa8368b64f50508a52b
parent488a80fbc0f3adbbf37603c446f103ff05eb4a6d (diff)
downloadPeerTube-b2aecc1ecbed7449b9486812c573993b4582a267.tar.gz
PeerTube-b2aecc1ecbed7449b9486812c573993b4582a267.tar.zst
PeerTube-b2aecc1ecbed7449b9486812c573993b4582a267.zip
factorize nginx websocket and per route limits
-rw-r--r--support/nginx/peertube107
1 files changed, 62 insertions, 45 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 6d1c89459..f1ef4ccd1 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,6 +1,6 @@
1# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017) 1# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
2# Please check your Nginx installation features the following modules via 'nginx -V': 2# Please check your Nginx installation features the following modules via 'nginx -V':
3# STANDARD HTTP MODULES: Core, Map, Proxy, Rewrite. 3# STANDARD HTTP MODULES: Core, Proxy, Rewrite.
4# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream. 4# OPTIONAL HTTP MODULES: Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream.
5# THIRD PARTY MODULES: None. 5# THIRD PARTY MODULES: None.
6 6
@@ -61,13 +61,38 @@ server {
61 # Application 61 # Application
62 ## 62 ##
63 63
64 location / { 64 location @api {
65 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 65 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
66 proxy_set_header Host $host; 66 proxy_set_header Host $host;
67 proxy_set_header X-Real-IP $remote_addr; 67 proxy_set_header X-Real-IP $remote_addr;
68 68
69 client_max_body_size 100k; # default is 1M
70
71 proxy_connect_timeout 10m;
72 proxy_send_timeout 10m;
73 proxy_read_timeout 10m;
74 send_timeout 10m;
75
76 proxy_pass http://backend;
77 }
78
79 location / {
80 try_files /dev/null @api;
81 }
82
83 location = /api/v1/users/me/avatar/pick {
84 limit_except POST { deny all; }
85
86 client_max_body_size 2M; # default is 1M
87
88 try_files /dev/null @api;
89 }
90
91 location = /api/v1/videos/upload {
92 limit_except POST { deny all; }
93
69 # This is the maximum upload size, which roughly matches the maximum size of a video file 94 # This is the maximum upload size, which roughly matches the maximum size of a video file
70 # you can send via the API or the web interface. By default this is 8GB, but administrators 95 # you can send via the API or the web interface. By default we set it to 8GB, but administrators
71 # can increase or decrease the limit. Currently there's no way to communicate this limit 96 # can increase or decrease the limit. Currently there's no way to communicate this limit
72 # to users automatically, so you may want to leave a note in your instance 'about' page if 97 # to users automatically, so you may want to leave a note in your instance 'about' page if
73 # you change this. 98 # you change this.
@@ -75,21 +100,16 @@ server {
75 # Note that temporary space is needed equal to the total size of all concurrent uploads. 100 # Note that temporary space is needed equal to the total size of all concurrent uploads.
76 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory 101 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
77 # on a dedicated filesystem. 102 # on a dedicated filesystem.
78 client_max_body_size 8G; 103 client_max_body_size 8G; # default is 1M
79
80 proxy_connect_timeout 600s;
81 proxy_send_timeout 600s;
82 proxy_read_timeout 600s;
83 send_timeout 600s;
84 104
85 proxy_pass http://backend; 105 try_files /dev/null @api;
86 } 106 }
87 107
88 ## 108 ##
89 # Websocket 109 # Websocket
90 ## 110 ##
91 111
92 location /tracker/socket { 112 location @api_websocket {
93 proxy_http_version 1.1; 113 proxy_http_version 1.1;
94 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 114 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
95 proxy_set_header Host $host; 115 proxy_set_header Host $host;
@@ -97,22 +117,19 @@ server {
97 proxy_set_header Upgrade $http_upgrade; 117 proxy_set_header Upgrade $http_upgrade;
98 proxy_set_header Connection "upgrade"; 118 proxy_set_header Connection "upgrade";
99 119
100 # Peers send a message to the tracker every 15 minutes
101 # Don't close the websocket before then
102 proxy_read_timeout 1200s; # default is 60s
103
104 proxy_pass http://backend; 120 proxy_pass http://backend;
105 } 121 }
106 122
107 location /socket.io { 123 location /socket.io {
108 proxy_http_version 1.1; 124 try_files /dev/null @api_websocket;
109 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 125 }
110 proxy_set_header Host $host;
111 proxy_set_header X-Real-IP $remote_addr;
112 proxy_set_header Upgrade $http_upgrade;
113 proxy_set_header Connection "upgrade";
114 126
115 proxy_pass http://backend; 127 location /tracker/socket {
128 # Peers send a message to the tracker every 15 minutes
129 # Don't close the websocket before then
130 proxy_read_timeout 15m; # default is 60s
131
132 try_files /dev/null @api_websocket;
116 } 133 }
117 134
118 ## 135 ##
@@ -152,14 +169,14 @@ server {
152 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path 169 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
153 #client_body_temp_path /var/www/peertube/storage/nginx/; 170 #client_body_temp_path /var/www/peertube/storage/nginx/;
154 171
155 # Bypass PeerTube for performance reasons. Could be removed 172 # Bypass PeerTube for performance reasons. Optional.
156 # Should be consistent with client-overrides assets list in /server/controllers/client.ts 173 # Should be consistent with client-overrides assets list in /server/controllers/client.ts
157 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ { 174 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
158 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year 175 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
159 176
160 root /var/www/peertube; 177 root /var/www/peertube;
161 178
162 try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 /; 179 try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
163 } 180 }
164 181
165 # Bypass PeerTube for performance reasons. Optional. 182 # Bypass PeerTube for performance reasons. Optional.
@@ -172,23 +189,23 @@ server {
172 # Bypass PeerTube for performance reasons. Optional. 189 # Bypass PeerTube for performance reasons. Optional.
173 location ~ ^/static/(thumbnails|avatars)/ { 190 location ~ ^/static/(thumbnails|avatars)/ {
174 if ($request_method = 'OPTIONS') { 191 if ($request_method = 'OPTIONS') {
175 add_header 'Access-Control-Allow-Origin' '*'; 192 add_header Access-Control-Allow-Origin '*';
176 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 193 add_header Access-Control-Allow-Methods 'GET, OPTIONS';
177 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 194 add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
178 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days 195 add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days
179 add_header 'Content-Type' 'text/plain charset=UTF-8'; 196 add_header Content-Type 'text/plain charset=UTF-8';
180 add_header 'Content-Length' 0; 197 add_header Content-Length 0;
181 return 204; 198 return 204;
182 } 199 }
183 200
184 add_header 'Access-Control-Allow-Origin' '*'; 201 add_header Access-Control-Allow-Origin '*';
185 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 202 add_header Access-Control-Allow-Methods 'GET, OPTIONS';
186 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 203 add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
187 add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours 204 add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
188 205
189 rewrite ^/static/(.*)$ /$1 break; 206 rewrite ^/static/(.*)$ /$1 break;
190 207
191 try_files $uri /; 208 try_files $uri @api;
192 } 209 }
193 210
194 # Bypass PeerTube for performance reasons. Optional. 211 # Bypass PeerTube for performance reasons. Optional.
@@ -209,19 +226,19 @@ server {
209 set $limit_rate $peertube_limit_rate; 226 set $limit_rate $peertube_limit_rate;
210 227
211 if ($request_method = 'OPTIONS') { 228 if ($request_method = 'OPTIONS') {
212 add_header 'Access-Control-Allow-Origin' '*'; 229 add_header Access-Control-Allow-Origin '*';
213 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 230 add_header Access-Control-Allow-Methods 'GET, OPTIONS';
214 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 231 add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
215 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days 232 add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days
216 add_header 'Content-Type' 'text/plain charset=UTF-8'; 233 add_header Content-Type 'text/plain charset=UTF-8';
217 add_header 'Content-Length' 0; 234 add_header Content-Length 0;
218 return 204; 235 return 204;
219 } 236 }
220 237
221 if ($request_method = 'GET') { 238 if ($request_method = 'GET') {
222 add_header 'Access-Control-Allow-Origin' '*'; 239 add_header Access-Control-Allow-Origin '*';
223 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 240 add_header Access-Control-Allow-Methods 'GET, OPTIONS';
224 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 241 add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
225 242
226 # Don't spam access log file with byte range requests 243 # Don't spam access log file with byte range requests
227 access_log off; 244 access_log off;
@@ -242,6 +259,6 @@ server {
242 rewrite ^/static/webseed/(.*)$ /videos/$1 break; 259 rewrite ^/static/webseed/(.*)$ /videos/$1 break;
243 rewrite ^/static/(.*)$ /$1 break; 260 rewrite ^/static/(.*)$ /$1 break;
244 261
245 try_files $uri /; 262 try_files $uri @api;
246 } 263 }
247} 264}