aboutsummaryrefslogtreecommitdiffhomepage
path: root/support/nginx/peertube
diff options
context:
space:
mode:
authorRigel Kent <sendmemail@rigelk.eu>2020-11-16 19:16:49 +0100
committerGitHub <noreply@github.com>2020-11-16 19:16:49 +0100
commit5f59cf077fd9f9c0c91c7bb56efbfd5db103bff2 (patch)
treee9153bdc5891a8c09f241f00e624edda82f76f62 /support/nginx/peertube
parent12c8a46362f1f92d1c1a34991a76c55f625a80c6 (diff)
downloadPeerTube-5f59cf077fd9f9c0c91c7bb56efbfd5db103bff2.tar.gz
PeerTube-5f59cf077fd9f9c0c91c7bb56efbfd5db103bff2.tar.zst
PeerTube-5f59cf077fd9f9c0c91c7bb56efbfd5db103bff2.zip
refresh nginx config and optimize delivery (#3313)
refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
Diffstat (limited to 'support/nginx/peertube')
-rw-r--r--support/nginx/peertube276
1 files changed, 160 insertions, 116 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index e58659030..25c786a86 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,3 +1,5 @@
1# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
2
1# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. 3# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
2#server { 4#server {
3# listen 80; 5# listen 80;
@@ -11,146 +13,212 @@
11# location / { return 301 https://$host$request_uri; } 13# location / { return 301 https://$host$request_uri; }
12#} 14#}
13 15
16upstream backend {
17 server ${PEERTUBE_HOST};
18}
19
14server { 20server {
15 listen 443 ssl http2; 21 listen 443 ssl http2;
16 listen [::]:443 ssl http2; 22 listen [::]:443 ssl http2;
17 server_name ${WEBSERVER_HOST}; 23 server_name ${WEBSERVER_HOST};
18 24
19 # For example with certbot (you need a certificate to run https) 25 access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
20 ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; 26 error_log /var/log/nginx/peertube.error.log;
21 ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; 27
28 ##
29 # Certificates
30 # you need a certificate to run in production. see https://letsencrypt.org/
31 ##
32 ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
33 ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
34
35 location ^~ '/.well-known/acme-challenge' {
36 default_type "text/plain";
37 root /var/www/certbot;
38 }
39
40 ##
41 # Security hardening (as of Nov 15, 2020)
42 # based on Mozilla Guideline v5.6
43 ##
22 44
23 # Security hardening (as of 11/02/2018) 45 ssl_protocols TLSv1.2 TLSv1.3;
24 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
25 ssl_prefer_server_ciphers on; 46 ssl_prefer_server_ciphers on;
26 # Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4 47 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
27 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA'; 48 ssl_session_timeout 1d; # defaults to 5m
28 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script 49 ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
29 ssl_session_timeout 10m; 50 ssl_session_tickets off;
30 ssl_session_cache shared:SSL:10m; 51 ssl_stapling on;
31 ssl_session_tickets off; # Requires nginx >= 1.5.9 52 ssl_stapling_verify on;
32 ssl_stapling on; # Requires nginx >= 1.3.7
33 ssl_stapling_verify on; # Requires nginx => 1.3.7
34 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives 53 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
35 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; 54 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
36 55
37 # Configure with your resolvers 56 ##
38 # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; 57 # Application
39 # resolver_timeout 5s; 58 ##
40 59
41 # Enable compression for JS/CSS/HTML bundle, for improved client load times. 60 location / {
42 # It might be nice to compress JSON, but leaving that out to protect against potential 61 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43 # compression+encryption information leak attacks like BREACH. 62 proxy_set_header Host $host;
44 gzip on; 63 proxy_set_header X-Real-IP $remote_addr;
45 gzip_types text/css application/javascript;
46 gzip_vary on;
47 64
48 # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place 65 # This is the maximum upload size, which roughly matches the maximum size of a video file
49 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path 66 # you can send via the API or the web interface. By default this is 8GB, but administrators
50 # client_body_temp_path /var/www/peertube/storage/nginx/; 67 # can increase or decrease the limit. Currently there's no way to communicate this limit
68 # to users automatically, so you may want to leave a note in your instance 'about' page if
69 # you change this.
70 #
71 # Note that temporary space is needed equal to the total size of all concurrent uploads.
72 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
73 # on a dedicated filesystem.
74 client_max_body_size 8G;
51 75
52 access_log /var/log/nginx/${WEBSERVER_HOST}.access.log; 76 proxy_connect_timeout 600s;
53 error_log /var/log/nginx/${WEBSERVER_HOST}.error.log; 77 proxy_send_timeout 600s;
78 proxy_read_timeout 600s;
79 send_timeout 600s;
54 80
55 location ^~ '/.well-known/acme-challenge' { 81 proxy_pass http://backend;
56 default_type "text/plain"; 82 }
57 root /var/www/certbot; 83
84 ##
85 # Websocket
86 ##
87
88 location /tracker/socket {
89 proxy_http_version 1.1;
90 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
91 proxy_set_header Host $host;
92 proxy_set_header X-Real-IP $remote_addr;
93 proxy_set_header Upgrade $http_upgrade;
94 proxy_set_header Connection "upgrade";
95
96 # Peers send a message to the tracker every 15 minutes
97 # Don't close the websocket before then
98 proxy_read_timeout 1200s; # default is 60s
99
100 proxy_pass http://backend;
101 }
102
103 location /socket.io {
104 proxy_http_version 1.1;
105 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
106 proxy_set_header Host $host;
107 proxy_set_header X-Real-IP $remote_addr;
108 proxy_set_header Upgrade $http_upgrade;
109 proxy_set_header Connection "upgrade";
110
111 proxy_pass http://backend;
58 } 112 }
59 113
114 ##
115 # Performance optimizations
116 # For extra performance please refer to https://github.com/denji/nginx-tuning
117 ##
118
119 root /var/www/peertube/storage;
120
121 # Enable compression for JS/CSS/HTML, for improved client load times.
122 # It might be nice to compress JSON/XML as returned by the API, but
123 # leaving that out to protect against potential BREACH attack.
124 gzip on;
125 gzip_vary on;
126 gzip_types # text/html is always compressed by HttpGzipModule
127 text/css
128 application/javascript
129 font/truetype
130 font/opentype
131 application/vnd.ms-fontobject
132 image/svg+xml;
133 gzip_min_length 1000; # default is 20 bytes
134 gzip_buffers 16 8k;
135 gzip_comp_level 2; # default is 1
136
137 client_body_timeout 30s; # default is 60
138 client_header_timeout 10s; # default is 60
139 send_timeout 10s; # default is 60
140 keepalive_timeout 10s; # default is 75
141 resolver_timeout 10s; # default is 30
142 reset_timedout_connection on;
143
144 tcp_nopush on; # send headers in one piece
145 tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
146
147 open_file_cache max=2000 inactive=5m; # default is no cache
148 open_file_cache_valid 2m; # default is 60s
149 open_file_cache_min_uses 2; # default is 1
150 open_file_cache_errors on;
151
152 # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
153 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
154 #client_body_temp_path /var/www/peertube/storage/nginx/;
155
60 # Bypass PeerTube for performance reasons. Could be removed 156 # Bypass PeerTube for performance reasons. Could be removed
61 # Should be consistent with client-overrides assets list in /server/controllers/client.ts 157 # Should be consistent with client-overrides assets list in /server/controllers/client.ts
62 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ { 158 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
63 add_header Cache-Control "public, max-age=31536000, immutable"; 159 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
64
65 root /var/www/peertube/storage/client-overrides;
66 160
67 try_files /$1 $uri; 161 try_files /client-overrides/$1 $uri;
68 } 162 }
69 163
70 # Bypass PeerTube for performance reasons. Could be removed 164 # Bypass PeerTube for performance reasons. Optional.
71 location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ { 165 location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
72 add_header Cache-Control "public, max-age=31536000, immutable"; 166 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
73 167
74 alias /var/www/peertube/peertube-latest/client/dist/$1; 168 alias /var/www/peertube/peertube-latest/client/dist/$1;
75 } 169 }
76 170
77 # Bypass PeerTube for performance reasons. Could be removed 171 # Bypass PeerTube for performance reasons. Optional.
78 location ~ ^/static/(thumbnails|avatars)/ { 172 location ~ ^/static/(thumbnails|avatars)/ {
79 if ($request_method = 'OPTIONS') { 173 if ($request_method = 'OPTIONS') {
80 add_header 'Access-Control-Allow-Origin' '*'; 174 add_header 'Access-Control-Allow-Origin' '*';
81 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 175 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
82 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 176 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
83 add_header 'Access-Control-Max-Age' 1728000; 177 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
84 add_header 'Content-Type' 'text/plain charset=UTF-8'; 178 add_header 'Content-Type' 'text/plain charset=UTF-8';
85 add_header 'Content-Length' 0; 179 add_header 'Content-Length' 0;
86 return 204; 180 return 204;
87 } 181 }
88 182
89 add_header 'Access-Control-Allow-Origin' '*'; 183 add_header 'Access-Control-Allow-Origin' '*';
90 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 184 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
91 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 185 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
92 186 add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
93 # Cache 2 hours
94 add_header Cache-Control "public, max-age=7200";
95 187
96 root /var/www/peertube/storage; 188 rewrite ^/static/(.*)$ /$1 break;
97 189
98 rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
99 try_files $uri /; 190 try_files $uri /;
100 } 191 }
101 192
102 location / { 193 # Bypass PeerTube for performance reasons. Optional.
103 proxy_pass http://${PEERTUBE_HOST};
104 proxy_set_header X-Real-IP $remote_addr;
105 proxy_set_header Host $host;
106 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
107
108 # This is the maximum upload size, which roughly matches the maximum size of a video file
109 # you can send via the API or the web interface. By default this is 8GB, but administrators
110 # can increase or decrease the limit. Currently there's no way to communicate this limit
111 # to users automatically, so you may want to leave a note in your instance 'about' page if
112 # you change this.
113 #
114 # Note that temporary space is needed equal to the total size of all concurrent uploads.
115 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
116 # on a dedicated filesystem.
117 #
118 client_max_body_size 8G;
119
120 proxy_connect_timeout 600;
121 proxy_send_timeout 600;
122 proxy_read_timeout 600;
123 send_timeout 600;
124 }
125
126 # Bypass PeerTube for performance reasons. Could be removed
127 location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { 194 location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
195 limit_rate_after 5M;
196
128 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client 197 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
129 set $peertube_limit_rate 800k; 198 set $peertube_limit_rate 800k;
130 199
131 # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections 200 # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
132 if ($request_uri ~ -fragmented.mp4$) { 201 if ($request_uri ~ -fragmented.mp4$) {
133 set $peertube_limit_rate 5000k; 202 set $peertube_limit_rate 5M;
134 } 203 }
135 204
136 # Use this with nginx >= 1.17.0 205 # Use this line with nginx >= 1.17.0
137 # limit_rate $peertube_limit_rate; 206 #limit_rate $peertube_limit_rate;
138 # Or this if your nginx < 1.17.0 207 # Or this line if your nginx < 1.17.0
139 set $limit_rate $peertube_limit_rate; 208 set $limit_rate $peertube_limit_rate;
140 limit_rate_after 5000k;
141 209
142 if ($request_method = 'OPTIONS') { 210 if ($request_method = 'OPTIONS') {
143 add_header 'Access-Control-Allow-Origin' '*'; 211 add_header 'Access-Control-Allow-Origin' '*';
144 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 212 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
145 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 213 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
146 add_header 'Access-Control-Max-Age' 1728000; 214 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
147 add_header 'Content-Type' 'text/plain charset=UTF-8'; 215 add_header 'Content-Type' 'text/plain charset=UTF-8';
148 add_header 'Content-Length' 0; 216 add_header 'Content-Length' 0;
149 return 204; 217 return 204;
150 } 218 }
151 219
152 if ($request_method = 'GET') { 220 if ($request_method = 'GET') {
153 add_header 'Access-Control-Allow-Origin' '*'; 221 add_header 'Access-Control-Allow-Origin' '*';
154 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 222 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
155 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 223 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
156 224
@@ -158,45 +226,21 @@ server {
158 access_log off; 226 access_log off;
159 } 227 }
160 228
161 root /var/www/peertube/storage; 229 # Enabling the sendfile directive eliminates the step of copying the data into the buffer
230 # and enables direct copying data from one file descriptor to another.
231 sendfile on;
232 sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
233 aio threads;
162 234
163 # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage 235 # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
164 # to serve files directly from a public bucket without proxying. 236 # to serve files directly from a public bucket without proxying.
165 # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc. 237 # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
166 #set $cdn <your S3-compatiable bucket public url mounted via fuse>; 238 #set $cdn <your S3-compatiable bucket public url mounted via fuse>;
167 #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect; 239 #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
168 #rewrite ^/static/redundancy/(.*)$ $cdn/redundancy/$1 redirect; 240 #rewrite ^/static/(.*)$ $cdn/$1 redirect;
169 #rewrite ^/static/streaming-playlists/(.*)$ $cdn/streaming-playlists/$1 redirect;
170
171 rewrite ^/static/webseed/(.*)$ /videos/$1 break; 241 rewrite ^/static/webseed/(.*)$ /videos/$1 break;
172 rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break; 242 rewrite ^/static/(.*)$ /$1 break;
173 rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
174 243
175 try_files $uri /; 244 try_files $uri /;
176 } 245 }
177
178 # Websocket tracker
179 location /tracker/socket {
180 # Peers send a message to the tracker every 15 minutes
181 # Don't close the websocket before this time
182 proxy_read_timeout 1200s;
183 proxy_set_header Upgrade $http_upgrade;
184 proxy_set_header Connection "upgrade";
185 proxy_http_version 1.1;
186 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
187 proxy_set_header Host $host;
188 proxy_pass http://${PEERTUBE_HOST};
189 }
190
191 location /socket.io {
192 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
193 proxy_set_header Host $host;
194
195 proxy_pass http://${PEERTUBE_HOST};
196
197 # enable WebSockets
198 proxy_http_version 1.1;
199 proxy_set_header Upgrade $http_upgrade;
200 proxy_set_header Connection "upgrade";
201 }
202} 246}