diff options
author | Rigel Kent <sendmemail@rigelk.eu> | 2020-03-03 00:29:52 +0100 |
---|---|---|
committer | Rigel Kent <sendmemail@rigelk.eu> | 2020-11-11 16:45:46 +0100 |
commit | 1a9b141d835cf3bfe9bdca67f881b520975f9058 (patch) | |
tree | 444b35656c7093250181121ccfadb870c5046be4 /support/nginx/peertube | |
parent | 8e98e6124d2b006ba9f616b0dfce7369fa7b2684 (diff) | |
download | PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.gz PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.tar.zst PeerTube-1a9b141d835cf3bfe9bdca67f881b520975f9058.zip |
Add nginx behind traefik in docker-compose + image updates
- support/docker/production/docker-compose.yml: addition of a nginx
image reusing support/nginx/peertube nginx conf to improve performance,
and lessen setup differences between the docker-compose install and the
typical production install.
- support/docker/production/docker-compose.yml: postgres 10 -> postgres
12, redis 4 -> redis 5. Postgres major updates implies manual upgrade.
- support/nginx/peertube: HTTP -> HTTPS redirection is now commented
by default, to allow its reuse in support/docker/production/docker-compose.yml.
Diffstat (limited to 'support/nginx/peertube')
-rw-r--r-- | support/nginx/peertube | 42 |
1 files changed, 20 insertions, 22 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube index a17868c5a..7f2c0f263 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -1,26 +1,24 @@ | |||
1 | server { | 1 | # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. |
2 | listen 80; | 2 | #server { |
3 | listen [::]:80; | 3 | # listen 80; |
4 | server_name peertube.example.com; | 4 | # listen [::]:80; |
5 | 5 | # server_name ${WEBSERVER_HOST}; | |
6 | access_log /var/log/nginx/peertube.example.com.access.log; | 6 | # |
7 | error_log /var/log/nginx/peertube.example.com.error.log; | 7 | # location /.well-known/acme-challenge/ { |
8 | 8 | # default_type "text/plain"; | |
9 | location /.well-known/acme-challenge/ { | 9 | # root /var/www/certbot; |
10 | default_type "text/plain"; | 10 | # } |
11 | root /var/www/certbot; | 11 | # location / { return 301 https://$host$request_uri; } |
12 | } | 12 | #} |
13 | location / { return 301 https://$host$request_uri; } | ||
14 | } | ||
15 | 13 | ||
16 | server { | 14 | server { |
17 | listen 443 ssl http2; | 15 | listen 443 ssl http2; |
18 | listen [::]:443 ssl http2; | 16 | listen [::]:443 ssl http2; |
19 | server_name peertube.example.com; | 17 | server_name ${WEBSERVER_HOST}; |
20 | 18 | ||
21 | # For example with certbot (you need a certificate to run https) | 19 | # For example with certbot (you need a certificate to run https) |
22 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; | 20 | ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; |
23 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | 21 | ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; |
24 | 22 | ||
25 | # Security hardening (as of 11/02/2018) | 23 | # Security hardening (as of 11/02/2018) |
26 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 | 24 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 |
@@ -51,8 +49,8 @@ server { | |||
51 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path | 49 | # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path |
52 | # client_body_temp_path /var/www/peertube/storage/nginx/; | 50 | # client_body_temp_path /var/www/peertube/storage/nginx/; |
53 | 51 | ||
54 | access_log /var/log/nginx/peertube.example.com.access.log; | 52 | access_log /var/log/nginx/${WEBSERVER_HOST}.access.log; |
55 | error_log /var/log/nginx/peertube.example.com.error.log; | 53 | error_log /var/log/nginx/${WEBSERVER_HOST}.error.log; |
56 | 54 | ||
57 | location ^~ '/.well-known/acme-challenge' { | 55 | location ^~ '/.well-known/acme-challenge' { |
58 | default_type "text/plain"; | 56 | default_type "text/plain"; |
@@ -92,7 +90,7 @@ server { | |||
92 | } | 90 | } |
93 | 91 | ||
94 | location / { | 92 | location / { |
95 | proxy_pass http://127.0.0.1:9000; | 93 | proxy_pass http://${PEERTUBE_HOST}; |
96 | proxy_set_header X-Real-IP $remote_addr; | 94 | proxy_set_header X-Real-IP $remote_addr; |
97 | proxy_set_header Host $host; | 95 | proxy_set_header Host $host; |
98 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 96 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
@@ -177,14 +175,14 @@ server { | |||
177 | proxy_http_version 1.1; | 175 | proxy_http_version 1.1; |
178 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 176 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
179 | proxy_set_header Host $host; | 177 | proxy_set_header Host $host; |
180 | proxy_pass http://127.0.0.1:9000; | 178 | proxy_pass http://${PEERTUBE_HOST}; |
181 | } | 179 | } |
182 | 180 | ||
183 | location /socket.io { | 181 | location /socket.io { |
184 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 182 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
185 | proxy_set_header Host $host; | 183 | proxy_set_header Host $host; |
186 | 184 | ||
187 | proxy_pass http://127.0.0.1:9000; | 185 | proxy_pass http://${PEERTUBE_HOST}; |
188 | 186 | ||
189 | # enable WebSockets | 187 | # enable WebSockets |
190 | proxy_http_version 1.1; | 188 | proxy_http_version 1.1; |