aboutsummaryrefslogtreecommitdiffhomepage
path: root/support
diff options
context:
space:
mode:
authorRigel Kent <par@rigelk.eu>2018-02-14 11:11:49 +0100
committerChocobozzz <me@florianbigard.com>2018-02-14 11:11:49 +0100
commite883399fa6caa56bb8519c9a2e22d88001f26661 (patch)
tree2843fa320193ed86ae153cfbe7756ca4a979c804 /support
parent1007a0185f5e3c1330a78f07d60f8dda9f5ddd15 (diff)
downloadPeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.gz
PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.tar.zst
PeerTube-e883399fa6caa56bb8519c9a2e22d88001f26661.zip
Precisions and security enhancements to the production guide (#287)
- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
Diffstat (limited to 'support')
-rw-r--r--support/doc/production.md47
-rw-r--r--support/nginx/peertube51
2 files changed, 76 insertions, 22 deletions
diff --git a/support/doc/production.md b/support/doc/production.md
index ba76a81cf..e3187d481 100644
--- a/support/doc/production.md
+++ b/support/doc/production.md
@@ -70,6 +70,8 @@ configuration.
70 70
71### Webserver 71### Webserver
72 72
73We only provide official configuration files for Nginx.
74
73Copy the nginx configuration template: 75Copy the nginx configuration template:
74 76
75``` 77```
@@ -83,9 +85,7 @@ It should correspond to the paths of your storage directories (set in the config
83$ sudo vim /etc/nginx/sites-available/peertube 85$ sudo vim /etc/nginx/sites-available/peertube
84``` 86```
85 87
86If you want to set https with Let's Encrypt please follow the steps of [this guide](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04). 88Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):
87
88An example of the nginx configuration could be:
89 89
90``` 90```
91server { 91server {
@@ -104,11 +104,28 @@ server {
104 listen [::]:443 ssl http2; 104 listen [::]:443 ssl http2;
105 server_name peertube.example.com; 105 server_name peertube.example.com;
106 106
107 # For example with Let's Encrypt 107 # For example with Let's Encrypt (you need a certificate to run https)
108 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; 108 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
109 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; 109 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
110 ssl_trusted_certificate /etc/letsencrypt/live/peertube.example.com/chain.pem; 110
111 111 # Security hardening (as of 11/02/2018)
112 ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
113 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
114 ssl_prefer_server_ciphers on;
115 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
116 ssl_session_timeout 10m;
117 ssl_session_cache shared:SSL:10m;
118 ssl_session_tickets off; # Requires nginx >= 1.5.9
119 ssl_stapling on; # Requires nginx >= 1.3.7
120 ssl_stapling_verify on; # Requires nginx => 1.3.7
121 resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
122 resolver_timeout 5s;
123 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
124 add_header X-Frame-Options DENY;
125 add_header X-Content-Type-Options nosniff;
126 add_header X-XSS-Protection "1; mode=block";
127 add_header X-Robots-Tag none;
128
112 access_log /var/log/nginx/peertube.example.com.access.log; 129 access_log /var/log/nginx/peertube.example.com.access.log;
113 error_log /var/log/nginx/peertube.example.com.error.log; 130 error_log /var/log/nginx/peertube.example.com.error.log;
114 131
@@ -136,7 +153,7 @@ server {
136 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 153 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
137 154
138 # For the video upload 155 # For the video upload
139 client_max_body_size 8G; 156 client_max_body_size 2G;
140 proxy_connect_timeout 600; 157 proxy_connect_timeout 600;
141 proxy_send_timeout 600; 158 proxy_send_timeout 600;
142 proxy_read_timeout 600; 159 proxy_read_timeout 600;
@@ -145,6 +162,9 @@ server {
145 162
146 # Bypass PeerTube webseed route for better performances 163 # Bypass PeerTube webseed route for better performances
147 location /static/webseed { 164 location /static/webseed {
165 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
166 limit_rate 800k;
167
148 if ($request_method = 'OPTIONS') { 168 if ($request_method = 'OPTIONS') {
149 add_header 'Access-Control-Allow-Origin' '*'; 169 add_header 'Access-Control-Allow-Origin' '*';
150 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 170 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
@@ -182,6 +202,17 @@ server {
182} 202}
183``` 203```
184 204
205To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
206
207```
208$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
209```
210
211```
212$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
213```
214
215Remember your certificate will expire in 90 days, and thus needs renewal.
185 216
186Activate the configuration file: 217Activate the configuration file:
187 218
@@ -192,7 +223,7 @@ $ sudo systemctl reload nginx
192 223
193### Systemd 224### Systemd
194 225
195Copy the nginx configuration template: 226Copy the SystemD configuration template:
196 227
197``` 228```
198$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/ 229$ sudo cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 5261cddb4..6a076a8f8 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,10 +1,10 @@
1server { 1server {
2 listen 80; 2 listen 80;
3 # listen [::]:80; 3 listen [::]:80;
4 server_name domain.tld; 4 server_name peertube.example.com;
5 5
6 access_log /var/log/nginx/peertube_access.log; 6 access_log /var/log/nginx/peertube.example.com.access.log;
7 error_log /var/log/nginx/peertube_error.log; 7 error_log /var/log/nginx/peertube.example.com.error.log;
8 8
9 location /.well-known/acme-challenge/ { allow all; } 9 location /.well-known/acme-challenge/ { allow all; }
10 location / { return 301 https://$host$request_uri; } 10 location / { return 301 https://$host$request_uri; }
@@ -12,16 +12,38 @@ server {
12 12
13server { 13server {
14 listen 443 ssl http2; 14 listen 443 ssl http2;
15 # listen [::]:443 ssl http2; 15 listen [::]:443 ssl http2;
16 server_name domain.tld; 16 server_name peertube.example.com;
17 17
18 access_log /var/log/nginx/peertube_access.log; 18 # For example with Let's Encrypt (you need a certificate to run https)
19 error_log /var/log/nginx/peertube_error.log; 19 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20 20 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21 # For example with Let's Encrypt 21
22 ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; 22 # Security hardening (as of 11/02/2018)
23 ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; 23 ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
24 ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem; 24 ssl_prefer_server_ciphers on;
25 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
26 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
27 ssl_session_timeout 10m;
28 ssl_session_cache shared:SSL:10m;
29 ssl_session_tickets off; # Requires nginx >= 1.5.9
30 ssl_stapling on; # Requires nginx >= 1.3.7
31 ssl_stapling_verify on; # Requires nginx => 1.3.7
32 resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
33 resolver_timeout 5s;
34 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
35 add_header X-Frame-Options DENY;
36 add_header X-Content-Type-Options nosniff;
37 add_header X-XSS-Protection "1; mode=block";
38 add_header X-Robots-Tag none;
39
40 access_log /var/log/nginx/peertube.example.com.access.log;
41 error_log /var/log/nginx/peertube.example.com.error.log;
42
43 location ^~ '/.well-known/acme-challenge' {
44 default_type "text/plain";
45 root /var/www/certbot;
46 }
25 47
26 location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { 48 location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
27 add_header Cache-Control "public, max-age=31536000, immutable"; 49 add_header Cache-Control "public, max-age=31536000, immutable";
@@ -46,6 +68,7 @@ server {
46 proxy_connect_timeout 600; 68 proxy_connect_timeout 600;
47 proxy_send_timeout 600; 69 proxy_send_timeout 600;
48 proxy_read_timeout 600; 70 proxy_read_timeout 600;
71 send_timeout 600;
49 } 72 }
50 73
51 # Bypass PeerTube webseed route for better performances 74 # Bypass PeerTube webseed route for better performances