diff options
author | Chocobozzz <me@florianbigard.com> | 2018-02-16 11:04:12 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-02-16 11:04:12 +0100 |
commit | 0b4957126899975f603038501337421f84bcb3e4 (patch) | |
tree | 1bbd2b44b4baa81516c4cfda7f0f119fb26b162c /support/nginx | |
parent | 63ce5a54f24ec0d184f321e9f46dcda7c0d19325 (diff) | |
download | PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.gz PeerTube-0b4957126899975f603038501337421f84bcb3e4.tar.zst PeerTube-0b4957126899975f603038501337421f84bcb3e4.zip |
Try to improve production guide
Diffstat (limited to 'support/nginx')
-rw-r--r-- | support/nginx/peertube | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube index 6a076a8f8..1aa6108cc 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -6,7 +6,10 @@ server { | |||
6 | access_log /var/log/nginx/peertube.example.com.access.log; | 6 | access_log /var/log/nginx/peertube.example.com.access.log; |
7 | error_log /var/log/nginx/peertube.example.com.error.log; | 7 | error_log /var/log/nginx/peertube.example.com.error.log; |
8 | 8 | ||
9 | location /.well-known/acme-challenge/ { allow all; } | 9 | location /.well-known/acme-challenge/ { |
10 | default_type "text/plain"; | ||
11 | root /var/www/certbot; | ||
12 | } | ||
10 | location / { return 301 https://$host$request_uri; } | 13 | location / { return 301 https://$host$request_uri; } |
11 | } | 14 | } |
12 | 15 | ||
@@ -15,12 +18,12 @@ server { | |||
15 | listen [::]:443 ssl http2; | 18 | listen [::]:443 ssl http2; |
16 | server_name peertube.example.com; | 19 | server_name peertube.example.com; |
17 | 20 | ||
18 | # For example with Let's Encrypt (you need a certificate to run https) | 21 | # For example with certbot (you need a certificate to run https) |
19 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; | 22 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; |
20 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | 23 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; |
21 | 24 | ||
22 | # Security hardening (as of 11/02/2018) | 25 | # Security hardening (as of 11/02/2018) |
23 | ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 | 26 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 |
24 | ssl_prefer_server_ciphers on; | 27 | ssl_prefer_server_ciphers on; |
25 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | 28 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; |
26 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | 29 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 |
@@ -29,8 +32,11 @@ server { | |||
29 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | 32 | ssl_session_tickets off; # Requires nginx >= 1.5.9 |
30 | ssl_stapling on; # Requires nginx >= 1.3.7 | 33 | ssl_stapling on; # Requires nginx >= 1.3.7 |
31 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | 34 | ssl_stapling_verify on; # Requires nginx => 1.3.7 |
32 | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | 35 | |
33 | resolver_timeout 5s; | 36 | # Configure with your resolvers |
37 | # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | ||
38 | # resolver_timeout 5s; | ||
39 | |||
34 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | 40 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
35 | add_header X-Frame-Options DENY; | 41 | add_header X-Frame-Options DENY; |
36 | add_header X-Content-Type-Options nosniff; | 42 | add_header X-Content-Type-Options nosniff; |
@@ -63,8 +69,8 @@ server { | |||
63 | proxy_set_header Host $host; | 69 | proxy_set_header Host $host; |
64 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 70 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
65 | 71 | ||
66 | # For the video upload | 72 | # Hard limit, PeerTube does not support videos > 4GB |
67 | client_max_body_size 2G; | 73 | client_max_body_size 4G; |
68 | proxy_connect_timeout 600; | 74 | proxy_connect_timeout 600; |
69 | proxy_send_timeout 600; | 75 | proxy_send_timeout 600; |
70 | proxy_read_timeout 600; | 76 | proxy_read_timeout 600; |