aboutsummaryrefslogtreecommitdiffhomepage
path: root/support/nginx
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-02-16 11:04:12 +0100
committerChocobozzz <me@florianbigard.com>2018-02-16 11:04:12 +0100
commit0b4957126899975f603038501337421f84bcb3e4 (patch)
tree1bbd2b44b4baa81516c4cfda7f0f119fb26b162c /support/nginx
parent63ce5a54f24ec0d184f321e9f46dcda7c0d19325 (diff)
downloadPeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.gz
PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.zst
PeerTube-0b4957126899975f603038501337421f84bcb3e4.zip
Try to improve production guide
Diffstat (limited to 'support/nginx')
-rw-r--r--support/nginx/peertube22
1 files changed, 14 insertions, 8 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 6a076a8f8..1aa6108cc 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
6 access_log /var/log/nginx/peertube.example.com.access.log; 6 access_log /var/log/nginx/peertube.example.com.access.log;
7 error_log /var/log/nginx/peertube.example.com.error.log; 7 error_log /var/log/nginx/peertube.example.com.error.log;
8 8
9 location /.well-known/acme-challenge/ { allow all; } 9 location /.well-known/acme-challenge/ {
10 default_type "text/plain";
11 root /var/www/certbot;
12 }
10 location / { return 301 https://$host$request_uri; } 13 location / { return 301 https://$host$request_uri; }
11} 14}
12 15
@@ -15,12 +18,12 @@ server {
15 listen [::]:443 ssl http2; 18 listen [::]:443 ssl http2;
16 server_name peertube.example.com; 19 server_name peertube.example.com;
17 20
18 # For example with Let's Encrypt (you need a certificate to run https) 21 # For example with certbot (you need a certificate to run https)
19 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; 22 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; 23 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21 24
22 # Security hardening (as of 11/02/2018) 25 # Security hardening (as of 11/02/2018)
23 ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 26 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
24 ssl_prefer_server_ciphers on; 27 ssl_prefer_server_ciphers on;
25 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 28 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
26 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 29 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
29 ssl_session_tickets off; # Requires nginx >= 1.5.9 32 ssl_session_tickets off; # Requires nginx >= 1.5.9
30 ssl_stapling on; # Requires nginx >= 1.3.7 33 ssl_stapling on; # Requires nginx >= 1.3.7
31 ssl_stapling_verify on; # Requires nginx => 1.3.7 34 ssl_stapling_verify on; # Requires nginx => 1.3.7
32 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; 35
33 resolver_timeout 5s; 36 # Configure with your resolvers
37 # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
38 # resolver_timeout 5s;
39
34 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 40 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
35 add_header X-Frame-Options DENY; 41 add_header X-Frame-Options DENY;
36 add_header X-Content-Type-Options nosniff; 42 add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
63 proxy_set_header Host $host; 69 proxy_set_header Host $host;
64 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 70 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
65 71
66 # For the video upload 72 # Hard limit, PeerTube does not support videos > 4GB
67 client_max_body_size 2G; 73 client_max_body_size 4G;
68 proxy_connect_timeout 600; 74 proxy_connect_timeout 600;
69 proxy_send_timeout 600; 75 proxy_send_timeout 600;
70 proxy_read_timeout 600; 76 proxy_read_timeout 600;