Precisions and security enhancements to the production guide (#287)

- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
author: Rigel Kent <par@rigelk.eu> 2018-02-14 11:11:49 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-02-14 11:11:49 +0100
commit: e883399fa6caa56bb8519c9a2e22d88001f26661 (patch)
tree: 2843fa320193ed86ae153cfbe7756ca4a979c804
parent: 1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff)
download: PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz
PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst
PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip
2 files changed, 76 insertions, 22 deletions
diff --git a/support/doc/production.md b/support/doc/production.md
index ba76a81cf..e3187d481 100644
--- a/support/doc/production.md
+++ b/support/doc/production.md
@@ -70,6 +70,8 @@ configuration.
 ### Webserver
+We only provide official configuration files for Nginx.
 Copy the nginx configuration template:
 ```
@@ -83,9 +85,7 @@ It should correspond to the paths of your storage directories (set in the config
 $ sudo vim /etc/nginx/sites-available/peertube
 ```
-If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).
+Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):
-An example of the nginx configuration could be:
 ```
 server {
@@ -104,11 +104,28 @@ server {
  listen [::]:443 ssl http2;
  server_name peertube.example.com;
-  # For example with Let's Encrypt
+  # For example with Let's Encrypt (you need a certificate to run https)
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;
+  
+  # Security hardening (as of 11/02/2018)
+  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+  ssl_session_timeout  10m;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off; # Requires nginx >= 1.5.9
+  ssl_stapling on; # Requires nginx >= 1.3.7
+  ssl_stapling_verify on; # Requires nginx => 1.3.7
+  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  resolver_timeout 5s;
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  
  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;
@@ -136,7 +153,7 @@ server {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # For the video upload
-    client_max_body_size 8G;
+    client_max_body_size 2G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
@@ -145,6 +162,9 @@ server {
  # Bypass PeerTube webseed route for better performances
  location /static/webseed {
+    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+    limit_rate 800k;
+    
    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
@@ -182,6 +202,17 @@ server {
 }
 ```
+To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
+```
+$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
+```
+```
+$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
+```
+Remember your certificate will expire in 90 days, and thus needs renewal.
 Activate the configuration file:
@@ -192,7 +223,7 @@ $ sudo systemctl reload nginx
 ### Systemd
-Copy the nginx configuration template:
+Copy the SystemD configuration template:
 ```
 $ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 5261cddb4..6a076a8f8 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,10 +1,10 @@
 server {
  listen 80;
-  # listen [::]:80;
+  listen [::]:80;
-  server_name domain.tld;
+  server_name peertube.example.com;
-  access_log /var/log/nginx/peertube_access.log;
+  access_log /var/log/nginx/peertube.example.com.access.log;
-  error_log /var/log/nginx/peertube_error.log;
+  error_log /var/log/nginx/peertube.example.com.error.log;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
@@ -12,16 +12,38 @@ server {
 server {
  listen 443 ssl http2;
-  # listen [::]:443 ssl http2;
+  listen [::]:443 ssl http2;
-  server_name domain.tld;
+  server_name peertube.example.com;
-  access_log /var/log/nginx/peertube_access.log;
+  # For example with Let's Encrypt (you need a certificate to run https)
-  error_log /var/log/nginx/peertube_error.log;
+  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  # For example with Let's Encrypt
+  
-  ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
+  # Security hardening (as of 11/02/2018)
-  ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;
+  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
-  ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+  ssl_session_timeout  10m;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off; # Requires nginx >= 1.5.9
+  ssl_stapling on; # Requires nginx >= 1.3.7
+  ssl_stapling_verify on; # Requires nginx => 1.3.7
+  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  resolver_timeout 5s;
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  
+  access_log /var/log/nginx/peertube.example.com.access.log;
+  error_log /var/log/nginx/peertube.example.com.error.log;
+  location ^~ '/.well-known/acme-challenge' {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";
@@ -46,6 +68,7 @@ server {
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
+    send_timeout                600;
  }
  # Bypass PeerTube webseed route for better performances
author	Rigel Kent <par@rigelk.eu>	2018-02-14 11:11:49 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-02-14 11:11:49 +0100
commit	e883399fa6caa56bb8519c9a2e22d88001f26661 (patch)
tree	2843fa320193ed86ae153cfbe7756ca4a979c804
parent	1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff)
download	PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip

diff --git a/support/doc/production.md b/support/doc/production.md index ba76a81cf..e3187d481 100644 --- a/support/doc/production.md +++ b/support/doc/production.md
@@ -70,6 +70,8 @@ configuration.
70		70
71	### Webserver	71	### Webserver
72		72
		73	We only provide official configuration files for Nginx.
		74
73	Copy the nginx configuration template:	75	Copy the nginx configuration template:
74		76
75	```	77	```
@@ -83,9 +85,7 @@ It should correspond to the paths of your storage directories (set in the config
83	$ sudo vim /etc/nginx/sites-available/peertube	85	$ sudo vim /etc/nginx/sites-available/peertube
84	```	86	```
85		87
86	If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04).	88	Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):
87
88	An example of the nginx configuration could be:
89		89
90	```	90	```
91	server {	91	server {
@@ -104,11 +104,28 @@ server {
104	listen [::]:443 ssl http2;	104	listen [::]:443 ssl http2;
105	server_name peertube.example.com;	105	server_name peertube.example.com;
106		106
107	# For example with Let's Encrypt	107	# For example with Let's Encrypt (you need a certificate to run https)
108	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;	108	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
109	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;	109	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
110	ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem;	110
111		111	# Security hardening (as of 11/02/2018)
		112	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
		113	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
		114	ssl_prefer_server_ciphers on;
		115	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
		116	ssl_session_timeout 10m;
		117	ssl_session_cache shared:SSL:10m;
		118	ssl_session_tickets off; # Requires nginx >= 1.5.9
		119	ssl_stapling on; # Requires nginx >= 1.3.7
		120	ssl_stapling_verify on; # Requires nginx => 1.3.7
		121	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
		122	resolver_timeout 5s;
		123	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
		124	add_header X-Frame-Options DENY;
		125	add_header X-Content-Type-Options nosniff;
		126	add_header X-XSS-Protection "1; mode=block";
		127	add_header X-Robots-Tag none;
		128
112	access_log /var/log/nginx/peertube.example.com.access.log;	129	access_log /var/log/nginx/peertube.example.com.access.log;
113	error_log /var/log/nginx/peertube.example.com.error.log;	130	error_log /var/log/nginx/peertube.example.com.error.log;
114		131
@@ -136,7 +153,7 @@ server {
136	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;	153	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
137		154
138	# For the video upload	155	# For the video upload
139	client_max_body_size 8G;	156	client_max_body_size 2G;
140	proxy_connect_timeout 600;	157	proxy_connect_timeout 600;
141	proxy_send_timeout 600;	158	proxy_send_timeout 600;
142	proxy_read_timeout 600;	159	proxy_read_timeout 600;
@@ -145,6 +162,9 @@ server {
145		162
146	# Bypass PeerTube webseed route for better performances	163	# Bypass PeerTube webseed route for better performances
147	location /static/webseed {	164	location /static/webseed {
		165	# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
		166	limit_rate 800k;
		167
148	if ($request_method = 'OPTIONS') {	168	if ($request_method = 'OPTIONS') {
149	add_header 'Access-Control-Allow-Origin' '*';	169	add_header 'Access-Control-Allow-Origin' '*';
150	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';	170	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
@@ -182,6 +202,17 @@ server {
182	}	202	}
183	```	203	```
184		204
		205	To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
		206
		207	```
		208	$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
		209	```
		210
		211	```
		212	$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
		213	```
		214
		215	Remember your certificate will expire in 90 days, and thus needs renewal.
185		216
186	Activate the configuration file:	217	Activate the configuration file:
187		218
@@ -192,7 +223,7 @@ $ sudo systemctl reload nginx
192		223
193	### Systemd	224	### Systemd
194		225
195	Copy the nginx configuration template:	226	Copy the SystemD configuration template:
196		227
197	```	228	```
198	$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/	229	$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/


diff --git a/support/nginx/peertube b/support/nginx/peertube index 5261cddb4..6a076a8f8 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -1,10 +1,10 @@
1	server {	1	server {
2	listen 80;	2	listen 80;
3	# listen [::]:80;	3	listen [::]:80;
4	server_name domain.tld;	4	server_name peertube.example.com;
5		5
6	access_log /var/log/nginx/peertube_access.log;	6	access_log /var/log/nginx/peertube.example.com.access.log;
7	error_log /var/log/nginx/peertube_error.log;	7	error_log /var/log/nginx/peertube.example.com.error.log;
8		8
9	location /.well-known/acme-challenge/ { allow all; }	9	location /.well-known/acme-challenge/ { allow all; }
10	location / { return 301 https://$host$request_uri; }	10	location / { return 301 https://$host$request_uri; }
@@ -12,16 +12,38 @@ server {
12		12
13	server {	13	server {
14	listen 443 ssl http2;	14	listen 443 ssl http2;
15	# listen [::]:443 ssl http2;	15	listen [::]:443 ssl http2;
16	server_name domain.tld;	16	server_name peertube.example.com;
17		17
18	access_log /var/log/nginx/peertube_access.log;	18	# For example with Let's Encrypt (you need a certificate to run https)
19	error_log /var/log/nginx/peertube_error.log;	19	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20		20	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21	# For example with Let's Encrypt	21
22	ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;	22	# Security hardening (as of 11/02/2018)
23	ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;	23	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
24	ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;	24	ssl_prefer_server_ciphers on;
		25	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
		26	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
		27	ssl_session_timeout 10m;
		28	ssl_session_cache shared:SSL:10m;
		29	ssl_session_tickets off; # Requires nginx >= 1.5.9
		30	ssl_stapling on; # Requires nginx >= 1.3.7
		31	ssl_stapling_verify on; # Requires nginx => 1.3.7
		32	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
		33	resolver_timeout 5s;
		34	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
		35	add_header X-Frame-Options DENY;
		36	add_header X-Content-Type-Options nosniff;
		37	add_header X-XSS-Protection "1; mode=block";
		38	add_header X-Robots-Tag none;
		39
		40	access_log /var/log/nginx/peertube.example.com.access.log;
		41	error_log /var/log/nginx/peertube.example.com.error.log;
		42
		43	location ^~ '/.well-known/acme-challenge' {
		44	default_type "text/plain";
		45	root /var/www/certbot;
		46	}
25		47
26	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {	48	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {
27	add_header Cache-Control "public, max-age=31536000, immutable";	49	add_header Cache-Control "public, max-age=31536000, immutable";
@@ -46,6 +68,7 @@ server {
46	proxy_connect_timeout 600;	68	proxy_connect_timeout 600;
47	proxy_send_timeout 600;	69	proxy_send_timeout 600;
48	proxy_read_timeout 600;	70	proxy_read_timeout 600;
		71	send_timeout 600;
49	}	72	}
50		73
51	# Bypass PeerTube webseed route for better performances	74	# Bypass PeerTube webseed route for better performances