diff options
author | Rigel Kent <par@rigelk.eu> | 2018-02-14 11:11:49 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-02-14 11:11:49 +0100 |
commit | e883399fa6caa56bb8519c9a2e22d88001f26661 (patch) | |
tree | 2843fa320193ed86ae153cfbe7756ca4a979c804 /support | |
parent | 1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff) | |
download | PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip |
Precisions and security enhancements to the production guide (#287)
- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives).
- security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator.
All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure.
Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
Diffstat (limited to 'support')
-rw-r--r-- | support/doc/production.md | 47 | ||||
-rw-r--r-- | support/nginx/peertube | 51 |
2 files changed, 76 insertions, 22 deletions
diff --git a/support/doc/production.md b/support/doc/production.md index ba76a81cf..e3187d481 100644 --- a/support/doc/production.md +++ b/support/doc/production.md | |||
@@ -70,6 +70,8 @@ configuration. | |||
70 | 70 | ||
71 | ### Webserver | 71 | ### Webserver |
72 | 72 | ||
73 | We only provide official configuration files for Nginx. | ||
74 | |||
73 | Copy the nginx configuration template: | 75 | Copy the nginx configuration template: |
74 | 76 | ||
75 | ``` | 77 | ``` |
@@ -83,9 +85,7 @@ It should correspond to the paths of your storage directories (set in the config | |||
83 | $ sudo vim /etc/nginx/sites-available/peertube | 85 | $ sudo vim /etc/nginx/sites-available/peertube |
84 | ``` | 86 | ``` |
85 | 87 | ||
86 | If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04). | 88 | Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)): |
87 | |||
88 | An example of the nginx configuration could be: | ||
89 | 89 | ||
90 | ``` | 90 | ``` |
91 | server { | 91 | server { |
@@ -104,11 +104,28 @@ server { | |||
104 | listen [::]:443 ssl http2; | 104 | listen [::]:443 ssl http2; |
105 | server_name peertube.example.com; | 105 | server_name peertube.example.com; |
106 | 106 | ||
107 | # For example with Let's Encrypt | 107 | # For example with Let's Encrypt (you need a certificate to run https) |
108 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; | 108 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; |
109 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | 109 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; |
110 | ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem; | 110 | |
111 | 111 | # Security hardening (as of 11/02/2018) | |
112 | ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 | ||
113 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
114 | ssl_prefer_server_ciphers on; | ||
115 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
116 | ssl_session_timeout 10m; | ||
117 | ssl_session_cache shared:SSL:10m; | ||
118 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
119 | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
120 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
121 | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | ||
122 | resolver_timeout 5s; | ||
123 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | ||
124 | add_header X-Frame-Options DENY; | ||
125 | add_header X-Content-Type-Options nosniff; | ||
126 | add_header X-XSS-Protection "1; mode=block"; | ||
127 | add_header X-Robots-Tag none; | ||
128 | |||
112 | access_log /var/log/nginx/peertube.example.com.access.log; | 129 | access_log /var/log/nginx/peertube.example.com.access.log; |
113 | error_log /var/log/nginx/peertube.example.com.error.log; | 130 | error_log /var/log/nginx/peertube.example.com.error.log; |
114 | 131 | ||
@@ -136,7 +153,7 @@ server { | |||
136 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 153 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
137 | 154 | ||
138 | # For the video upload | 155 | # For the video upload |
139 | client_max_body_size 8G; | 156 | client_max_body_size 2G; |
140 | proxy_connect_timeout 600; | 157 | proxy_connect_timeout 600; |
141 | proxy_send_timeout 600; | 158 | proxy_send_timeout 600; |
142 | proxy_read_timeout 600; | 159 | proxy_read_timeout 600; |
@@ -145,6 +162,9 @@ server { | |||
145 | 162 | ||
146 | # Bypass PeerTube webseed route for better performances | 163 | # Bypass PeerTube webseed route for better performances |
147 | location /static/webseed { | 164 | location /static/webseed { |
165 | # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | ||
166 | limit_rate 800k; | ||
167 | |||
148 | if ($request_method = 'OPTIONS') { | 168 | if ($request_method = 'OPTIONS') { |
149 | add_header 'Access-Control-Allow-Origin' '*'; | 169 | add_header 'Access-Control-Allow-Origin' '*'; |
150 | add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; | 170 | add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; |
@@ -182,6 +202,17 @@ server { | |||
182 | } | 202 | } |
183 | ``` | 203 | ``` |
184 | 204 | ||
205 | To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate): | ||
206 | |||
207 | ``` | ||
208 | $ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx | ||
209 | ``` | ||
210 | |||
211 | ``` | ||
212 | $ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx" | ||
213 | ``` | ||
214 | |||
215 | Remember your certificate will expire in 90 days, and thus needs renewal. | ||
185 | 216 | ||
186 | Activate the configuration file: | 217 | Activate the configuration file: |
187 | 218 | ||
@@ -192,7 +223,7 @@ $ sudo systemctl reload nginx | |||
192 | 223 | ||
193 | ### Systemd | 224 | ### Systemd |
194 | 225 | ||
195 | Copy the nginx configuration template: | 226 | Copy the SystemD configuration template: |
196 | 227 | ||
197 | ``` | 228 | ``` |
198 | $ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/ | 229 | $ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/ |
diff --git a/support/nginx/peertube b/support/nginx/peertube index 5261cddb4..6a076a8f8 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -1,10 +1,10 @@ | |||
1 | server { | 1 | server { |
2 | listen 80; | 2 | listen 80; |
3 | # listen [::]:80; | 3 | listen [::]:80; |
4 | server_name domain.tld; | 4 | server_name peertube.example.com; |
5 | 5 | ||
6 | access_log /var/log/nginx/peertube_access.log; | 6 | access_log /var/log/nginx/peertube.example.com.access.log; |
7 | error_log /var/log/nginx/peertube_error.log; | 7 | error_log /var/log/nginx/peertube.example.com.error.log; |
8 | 8 | ||
9 | location /.well-known/acme-challenge/ { allow all; } | 9 | location /.well-known/acme-challenge/ { allow all; } |
10 | location / { return 301 https://$host$request_uri; } | 10 | location / { return 301 https://$host$request_uri; } |
@@ -12,16 +12,38 @@ server { | |||
12 | 12 | ||
13 | server { | 13 | server { |
14 | listen 443 ssl http2; | 14 | listen 443 ssl http2; |
15 | # listen [::]:443 ssl http2; | 15 | listen [::]:443 ssl http2; |
16 | server_name domain.tld; | 16 | server_name peertube.example.com; |
17 | 17 | ||
18 | access_log /var/log/nginx/peertube_access.log; | 18 | # For example with Let's Encrypt (you need a certificate to run https) |
19 | error_log /var/log/nginx/peertube_error.log; | 19 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; |
20 | 20 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | |
21 | # For example with Let's Encrypt | 21 | |
22 | ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; | 22 | # Security hardening (as of 11/02/2018) |
23 | ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; | 23 | ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 |
24 | ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem; | 24 | ssl_prefer_server_ciphers on; |
25 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
26 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
27 | ssl_session_timeout 10m; | ||
28 | ssl_session_cache shared:SSL:10m; | ||
29 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
30 | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
31 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
32 | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | ||
33 | resolver_timeout 5s; | ||
34 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | ||
35 | add_header X-Frame-Options DENY; | ||
36 | add_header X-Content-Type-Options nosniff; | ||
37 | add_header X-XSS-Protection "1; mode=block"; | ||
38 | add_header X-Robots-Tag none; | ||
39 | |||
40 | access_log /var/log/nginx/peertube.example.com.access.log; | ||
41 | error_log /var/log/nginx/peertube.example.com.error.log; | ||
42 | |||
43 | location ^~ '/.well-known/acme-challenge' { | ||
44 | default_type "text/plain"; | ||
45 | root /var/www/certbot; | ||
46 | } | ||
25 | 47 | ||
26 | location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { | 48 | location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { |
27 | add_header Cache-Control "public, max-age=31536000, immutable"; | 49 | add_header Cache-Control "public, max-age=31536000, immutable"; |
@@ -46,6 +68,7 @@ server { | |||
46 | proxy_connect_timeout 600; | 68 | proxy_connect_timeout 600; |
47 | proxy_send_timeout 600; | 69 | proxy_send_timeout 600; |
48 | proxy_read_timeout 600; | 70 | proxy_read_timeout 600; |
71 | send_timeout 600; | ||
49 | } | 72 | } |
50 | 73 | ||
51 | # Bypass PeerTube webseed route for better performances | 74 | # Bypass PeerTube webseed route for better performances |