2 files changed, 164 insertions, 116 deletions
diff --git a/README.md b/README.md
index 3704f8b3d..cfd44f560 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,10 @@ Be part of a network of multiple small federated, interoperable video hosting pr
  <a href="https://automate.browserstack.com/public-build/T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%">
    <img src="https://automate.browserstack.com/badge.svg?badge_key=T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%"/>
  </a>
+  <a href="https://weblate.framasoft.org/projects/peertube/angular/">
+    <img src="https://weblate.framasoft.org/widgets/peertube/-/angular/svg-badge.svg"/>
+  </a>
 </p>
 <p align="center">
diff --git a/support/nginx/peertube b/support/nginx/peertube
index e58659030..25c786a86 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,3 +1,5 @@
+# Minimum Nginx version required:  1.13.0 (released Apr 25, 2017)
 # Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
 #server {
 #  listen 80;
@@ -11,146 +13,212 @@
 #  location / { return 301 https://$host$request_uri; }
 #}
+upstream backend {
+  server ${PEERTUBE_HOST};
+}
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ${WEBSERVER_HOST};
-  # For example with certbot (you need a certificate to run https)
+  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
-  ssl_certificate      /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
+  error_log  /var/log/nginx/peertube.error.log;
-  ssl_certificate_key  /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
+  ##
+  # Certificates
+  # you need a certificate to run in production. see https://letsencrypt.org/
+  ##
+  ssl_certificate     /etc/letsencrypt/live/peertube/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
+  location ^~ '/.well-known/acme-challenge' {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
+  ##
+  # Security hardening (as of Nov 15, 2020)
+  # based on Mozilla Guideline v5.6
+  ##
-  # Security hardening (as of 11/02/2018)
+  ssl_protocols             TLSv1.2 TLSv1.3;
-  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
-  # Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA';
+  ssl_session_timeout       1d; # defaults to 5m
-  # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
-  ssl_session_timeout  10m;
+  ssl_session_tickets       off;
-  ssl_session_cache shared:SSL:10m;
+  ssl_stapling              on;
-  ssl_session_tickets off; # Requires nginx >= 1.5.9
+  ssl_stapling_verify       on;
-  ssl_stapling on; # Requires nginx >= 1.3.7
-  ssl_stapling_verify on; # Requires nginx => 1.3.7
  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-  # Configure with your resolvers
+  ##
-  # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  # Application
-  # resolver_timeout 5s;
+  ##
-  # Enable compression for JS/CSS/HTML bundle, for improved client load times.
+  location / {
-  # It might be nice to compress JSON, but leaving that out to protect against potential
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-  # compression+encryption information leak attacks like BREACH.
+    proxy_set_header Host              $host;
-  gzip on;
+    proxy_set_header X-Real-IP         $remote_addr;
-  gzip_types text/css application/javascript;
-  gzip_vary on;
-  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+    # This is the maximum upload size, which roughly matches the maximum size of a video file
-  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+    # you can send via the API or the web interface. By default this is 8GB, but administrators
-  # client_body_temp_path /var/www/peertube/storage/nginx/;
+    # can increase or decrease the limit. Currently there's no way to communicate this limit
+    # to users automatically, so you may want to leave a note in your instance 'about' page if
+    # you change this.
+    #
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size  8G;
-  access_log /var/log/nginx/${WEBSERVER_HOST}.access.log;
+    proxy_connect_timeout 600s;
-  error_log /var/log/nginx/${WEBSERVER_HOST}.error.log;
+    proxy_send_timeout    600s;
+    proxy_read_timeout    600s;
+    send_timeout          600s;
-  location ^~ '/.well-known/acme-challenge' {
+    proxy_pass http://backend;
-    default_type "text/plain";
+  }
-    root /var/www/certbot;
+  ##
+  # Websocket
+  ##
+  location /tracker/socket {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 1200s; # default is 60s
+    proxy_pass http://backend;
+  }
+  location /socket.io {
+    proxy_http_version 1.1;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            $host;
+    proxy_set_header   X-Real-IP       $remote_addr;
+    proxy_set_header   Upgrade         $http_upgrade;
+    proxy_set_header   Connection      "upgrade";
+    proxy_pass http://backend;
  }
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+  root /var/www/peertube/storage;
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+  open_file_cache           max=2000 inactive=5m; # default is no cache
+  open_file_cache_valid     2m; # default is 60s
+  open_file_cache_min_uses  2; # default is 1
+  open_file_cache_errors    on;
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
  # Bypass PeerTube for performance reasons. Could be removed
  # Should be consistent with client-overrides assets list in /server/controllers/client.ts
  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
-    add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
-    root /var/www/peertube/storage/client-overrides;
-    try_files /$1 $uri;
+    try_files /client-overrides/$1 $uri;
  }
-  # Bypass PeerTube for performance reasons. Could be removed
+  # Bypass PeerTube for performance reasons. Optional.
  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
-    add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }
-  # Bypass PeerTube for performance reasons. Could be removed
+  # Bypass PeerTube for performance reasons. Optional.
  location ~ ^/static/(thumbnails|avatars)/ {
    if ($request_method = 'OPTIONS') {
-      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Origin'  '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-      add_header 'Access-Control-Max-Age' 1728000;
+      add_header 'Access-Control-Max-Age'       1728000; # Preflight request can be cached 20 days
-      add_header 'Content-Type' 'text/plain charset=UTF-8';
+      add_header 'Content-Type'                 'text/plain charset=UTF-8';
-      add_header 'Content-Length' 0;
+      add_header 'Content-Length'               0;
      return 204;
    }
-    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Origin'    '*';
-    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+    add_header 'Access-Control-Allow-Methods'   'GET, OPTIONS';
-    add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+    add_header 'Access-Control-Allow-Headers'   'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+    add_header Cache-Control                    "public, max-age=7200"; # Cache response 2 hours
-    # Cache 2 hours
-    add_header Cache-Control "public, max-age=7200";
-    root /var/www/peertube/storage;
+    rewrite ^/static/(.*)$ /$1 break;
-    rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
    try_files $uri /;
  }
-  location / {
+  # Bypass PeerTube for performance reasons. Optional.
-    proxy_pass http://${PEERTUBE_HOST};
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    # This is the maximum upload size, which roughly matches the maximum size of a video file
-    # you can send via the API or the web interface. By default this is 8GB, but administrators
-    # can increase or decrease the limit. Currently there's no way to communicate this limit
-    # to users automatically, so you may want to leave a note in your instance 'about' page if
-    # you change this.
-    #
-    # Note that temporary space is needed equal to the total size of all concurrent uploads.
-    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
-    # on a dedicated filesystem.
-    #
-    client_max_body_size 8G;
-    proxy_connect_timeout       600;
-    proxy_send_timeout          600;
-    proxy_read_timeout          600;
-    send_timeout                600;
-  }
-  # Bypass PeerTube for performance reasons. Could be removed
  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
+    limit_rate_after            5M;
    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
-    set $peertube_limit_rate 800k;
+    set $peertube_limit_rate    800k;
    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
    if ($request_uri ~ -fragmented.mp4$) {
-      set $peertube_limit_rate 5000k;
+      set $peertube_limit_rate  5M;
    }
-    # Use this with nginx >= 1.17.0
+    # Use this line with nginx >= 1.17.0
-    # limit_rate $peertube_limit_rate;
+    #limit_rate $peertube_limit_rate;
-    # Or this if your nginx < 1.17.0
+    # Or this line if your nginx < 1.17.0
    set $limit_rate $peertube_limit_rate;
-    limit_rate_after 5000k;
    if ($request_method = 'OPTIONS') {
-      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Origin'  '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-      add_header 'Access-Control-Max-Age' 1728000;
+      add_header 'Access-Control-Max-Age'       1728000; # Preflight request can be cached 20 days
-      add_header 'Content-Type' 'text/plain charset=UTF-8';
+      add_header 'Content-Type'                 'text/plain charset=UTF-8';
-      add_header 'Content-Length' 0;
+      add_header 'Content-Length'               0;
      return 204;
    }
    if ($request_method = 'GET') {
-      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Origin'  '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
@@ -158,45 +226,21 @@ server {
      access_log off;
    }
-    root /var/www/peertube/storage;
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
    # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
    # to serve files directly from a public bucket without proxying.
    # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
    #set $cdn <your S3-compatiable bucket public url mounted via fuse>;
    #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
-    #rewrite ^/static/redundancy/(.*)$ $cdn/redundancy/$1 redirect;
+    #rewrite ^/static/(.*)$         $cdn/$1        redirect;
-    #rewrite ^/static/streaming-playlists/(.*)$ $cdn/streaming-playlists/$1 redirect;
    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
-    rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
-    rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
    try_files $uri /;
  }
-  # Websocket tracker
-  location /tracker/socket {
-    # Peers send a message to the tracker every 15 minutes
-    # Don't close the websocket before this time
-    proxy_read_timeout 1200s;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_http_version 1.1;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_pass http://${PEERTUBE_HOST};
-  }
-  location /socket.io {
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_pass http://${PEERTUBE_HOST};
-    # enable WebSockets
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-  }
 }

diff --git a/README.md b/README.md index 3704f8b3d..cfd44f560 100644 --- a/README.md +++ b/README.md
@@ -50,6 +50,10 @@ Be part of a network of multiple small federated, interoperable video hosting pr
50	<a href="https://automate.browserstack.com/public-build/T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%">	50	<a href="https://automate.browserstack.com/public-build/T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%">
51	<img src="https://automate.browserstack.com/badge.svg?badge_key=T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%"/>	51	<img src="https://automate.browserstack.com/badge.svg?badge_key=T2g0SVQyMTJtYVRWaEZQTE9LdU9UU1ZDSkY5dTJ6dGlNRUVIajd4QlIwST0tLVdTQ1NUZ0pUTzRZT3lyZzkvWGNSZ1E9PQ==--278d3c68ae0827ce57e245e9f5a3b8c35d6e2278%"/>
52	</a>	52	</a>
		53
		54	<a href="https://weblate.framasoft.org/projects/peertube/angular/">
		55	<img src="https://weblate.framasoft.org/widgets/peertube/-/angular/svg-badge.svg"/>
		56	</a>
53	</p>	57	</p>
54		58
55	<p align="center">	59	<p align="center">


diff --git a/support/nginx/peertube b/support/nginx/peertube index e58659030..25c786a86 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -1,3 +1,5 @@
		1	# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
		2
1	# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.	3	# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
2	#server {	4	#server {
3	# listen 80;	5	# listen 80;
@@ -11,146 +13,212 @@
11	# location / { return 301 https://$host$request_uri; }	13	# location / { return 301 https://$host$request_uri; }
12	#}	14	#}
13		15
		16	upstream backend {
		17	server ${PEERTUBE_HOST};
		18	}
		19
14	server {	20	server {
15	listen 443 ssl http2;	21	listen 443 ssl http2;
16	listen [::]:443 ssl http2;	22	listen [::]:443 ssl http2;
17	server_name ${WEBSERVER_HOST};	23	server_name ${WEBSERVER_HOST};
18		24
19	# For example with certbot (you need a certificate to run https)	25	access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
20	ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;	26	error_log /var/log/nginx/peertube.error.log;
21	ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;	27
		28	##
		29	# Certificates
		30	# you need a certificate to run in production. see https://letsencrypt.org/
		31	##
		32	ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
		33	ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
		34
		35	location ^~ '/.well-known/acme-challenge' {
		36	default_type "text/plain";
		37	root /var/www/certbot;
		38	}
		39
		40	##
		41	# Security hardening (as of Nov 15, 2020)
		42	# based on Mozilla Guideline v5.6
		43	##
22		44
23	# Security hardening (as of 11/02/2018)	45	ssl_protocols TLSv1.2 TLSv1.3;
24	ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
25	ssl_prefer_server_ciphers on;	46	ssl_prefer_server_ciphers on;
26	# Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4	47	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
27	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA';	48	ssl_session_timeout 1d; # defaults to 5m
28	# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script	49	ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
29	ssl_session_timeout 10m;	50	ssl_session_tickets off;
30	ssl_session_cache shared:SSL:10m;	51	ssl_stapling on;
31	ssl_session_tickets off; # Requires nginx >= 1.5.9	52	ssl_stapling_verify on;
32	ssl_stapling on; # Requires nginx >= 1.3.7
33	ssl_stapling_verify on; # Requires nginx => 1.3.7
34	# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives	53	# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
35	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";	54	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
36		55
37	# Configure with your resolvers	56	##
38	# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;	57	# Application
39	# resolver_timeout 5s;	58	##
40		59
41	# Enable compression for JS/CSS/HTML bundle, for improved client load times.	60	location / {
42	# It might be nice to compress JSON, but leaving that out to protect against potential	61	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43	# compression+encryption information leak attacks like BREACH.	62	proxy_set_header Host $host;
44	gzip on;	63	proxy_set_header X-Real-IP $remote_addr;
45	gzip_types text/css application/javascript;
46	gzip_vary on;
47		64
48	# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place	65	# This is the maximum upload size, which roughly matches the maximum size of a video file
49	# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path	66	# you can send via the API or the web interface. By default this is 8GB, but administrators
50	# client_body_temp_path /var/www/peertube/storage/nginx/;	67	# can increase or decrease the limit. Currently there's no way to communicate this limit
		68	# to users automatically, so you may want to leave a note in your instance 'about' page if
		69	# you change this.
		70	#
		71	# Note that temporary space is needed equal to the total size of all concurrent uploads.
		72	# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
		73	# on a dedicated filesystem.
		74	client_max_body_size 8G;
51		75
52	access_log /var/log/nginx/${WEBSERVER_HOST}.access.log;	76	proxy_connect_timeout 600s;
53	error_log /var/log/nginx/${WEBSERVER_HOST}.error.log;	77	proxy_send_timeout 600s;
		78	proxy_read_timeout 600s;
		79	send_timeout 600s;
54		80
55	location ^~ '/.well-known/acme-challenge' {	81	proxy_pass http://backend;
56	default_type "text/plain";	82	}
57	root /var/www/certbot;	83
		84	##
		85	# Websocket
		86	##
		87
		88	location /tracker/socket {
		89	proxy_http_version 1.1;
		90	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		91	proxy_set_header Host $host;
		92	proxy_set_header X-Real-IP $remote_addr;
		93	proxy_set_header Upgrade $http_upgrade;
		94	proxy_set_header Connection "upgrade";
		95
		96	# Peers send a message to the tracker every 15 minutes
		97	# Don't close the websocket before then
		98	proxy_read_timeout 1200s; # default is 60s
		99
		100	proxy_pass http://backend;
		101	}
		102
		103	location /socket.io {
		104	proxy_http_version 1.1;
		105	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		106	proxy_set_header Host $host;
		107	proxy_set_header X-Real-IP $remote_addr;
		108	proxy_set_header Upgrade $http_upgrade;
		109	proxy_set_header Connection "upgrade";
		110
		111	proxy_pass http://backend;
58	}	112	}
59		113
		114	##
		115	# Performance optimizations
		116	# For extra performance please refer to https://github.com/denji/nginx-tuning
		117	##
		118
		119	root /var/www/peertube/storage;
		120
		121	# Enable compression for JS/CSS/HTML, for improved client load times.
		122	# It might be nice to compress JSON/XML as returned by the API, but
		123	# leaving that out to protect against potential BREACH attack.
		124	gzip on;
		125	gzip_vary on;
		126	gzip_types # text/html is always compressed by HttpGzipModule
		127	text/css
		128	application/javascript
		129	font/truetype
		130	font/opentype
		131	application/vnd.ms-fontobject
		132	image/svg+xml;
		133	gzip_min_length 1000; # default is 20 bytes
		134	gzip_buffers 16 8k;
		135	gzip_comp_level 2; # default is 1
		136
		137	client_body_timeout 30s; # default is 60
		138	client_header_timeout 10s; # default is 60
		139	send_timeout 10s; # default is 60
		140	keepalive_timeout 10s; # default is 75
		141	resolver_timeout 10s; # default is 30
		142	reset_timedout_connection on;
		143
		144	tcp_nopush on; # send headers in one piece
		145	tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
		146
		147	open_file_cache max=2000 inactive=5m; # default is no cache
		148	open_file_cache_valid 2m; # default is 60s
		149	open_file_cache_min_uses 2; # default is 1
		150	open_file_cache_errors on;
		151
		152	# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
		153	# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
		154	#client_body_temp_path /var/www/peertube/storage/nginx/;
		155
60	# Bypass PeerTube for performance reasons. Could be removed	156	# Bypass PeerTube for performance reasons. Could be removed
61	# Should be consistent with client-overrides assets list in /server/controllers/client.ts	157	# Should be consistent with client-overrides assets list in /server/controllers/client.ts
62	location ~ ^/client/(assets/images/(icons/icon-36x36\.png\|icons/icon-48x48\.png\|icons/icon-72x72\.png\|icons/icon-96x96\.png\|icons/icon-144x144\.png\|icons/icon-192x192\.png\|icons/icon-512x512\.png\|logo\.svg\|favicon\.png))$ {	158	location ~ ^/client/(assets/images/(icons/icon-36x36\.png\|icons/icon-48x48\.png\|icons/icon-72x72\.png\|icons/icon-96x96\.png\|icons/icon-144x144\.png\|icons/icon-192x192\.png\|icons/icon-512x512\.png\|logo\.svg\|favicon\.png))$ {
63	add_header Cache-Control "public, max-age=31536000, immutable";	159	add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
64
65	root /var/www/peertube/storage/client-overrides;
66		160
67	try_files /$1 $uri;	161	try_files /client-overrides/$1 $uri;
68	}	162	}
69		163
70	# Bypass PeerTube for performance reasons. Could be removed	164	# Bypass PeerTube for performance reasons. Optional.
71	location ~ ^/client/(.*\.(js\|css\|png\|svg\|woff2\|otf\|ttf\|woff\|eot))$ {	165	location ~ ^/client/(.*\.(js\|css\|png\|svg\|woff2\|otf\|ttf\|woff\|eot))$ {
72	add_header Cache-Control "public, max-age=31536000, immutable";	166	add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
73		167
74	alias /var/www/peertube/peertube-latest/client/dist/$1;	168	alias /var/www/peertube/peertube-latest/client/dist/$1;
75	}	169	}
76		170
77	# Bypass PeerTube for performance reasons. Could be removed	171	# Bypass PeerTube for performance reasons. Optional.
78	location ~ ^/static/(thumbnails\|avatars)/ {	172	location ~ ^/static/(thumbnails\|avatars)/ {
79	if ($request_method = 'OPTIONS') {	173	if ($request_method = 'OPTIONS') {
80	add_header 'Access-Control-Allow-Origin' '*';	174	add_header 'Access-Control-Allow-Origin' '*';
81	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';	175	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
82	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';	176	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
83	add_header 'Access-Control-Max-Age' 1728000;	177	add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
84	add_header 'Content-Type' 'text/plain charset=UTF-8';	178	add_header 'Content-Type' 'text/plain charset=UTF-8';
85	add_header 'Content-Length' 0;	179	add_header 'Content-Length' 0;
86	return 204;	180	return 204;
87	}	181	}
88		182
89	add_header 'Access-Control-Allow-Origin' '*';	183	add_header 'Access-Control-Allow-Origin' '*';
90	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';	184	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
91	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';	185	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
92		186	add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
93	# Cache 2 hours
94	add_header Cache-Control "public, max-age=7200";
95		187
96	root /var/www/peertube/storage;	188	rewrite ^/static/(.*)$ /$1 break;
97		189
98	rewrite ^/static/(thumbnails\|avatars)/(.*)$ /$1/$2 break;
99	try_files $uri /;	190	try_files $uri /;
100	}	191	}
101		192
102	location / {	193	# Bypass PeerTube for performance reasons. Optional.
103	proxy_pass http://${PEERTUBE_HOST};
104	proxy_set_header X-Real-IP $remote_addr;
105	proxy_set_header Host $host;
106	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
107
108	# This is the maximum upload size, which roughly matches the maximum size of a video file
109	# you can send via the API or the web interface. By default this is 8GB, but administrators
110	# can increase or decrease the limit. Currently there's no way to communicate this limit
111	# to users automatically, so you may want to leave a note in your instance 'about' page if
112	# you change this.
113	#
114	# Note that temporary space is needed equal to the total size of all concurrent uploads.
115	# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
116	# on a dedicated filesystem.
117	#
118	client_max_body_size 8G;
119
120	proxy_connect_timeout 600;
121	proxy_send_timeout 600;
122	proxy_read_timeout 600;
123	send_timeout 600;
124	}
125
126	# Bypass PeerTube for performance reasons. Could be removed
127	location ~ ^/static/(webseed\|redundancy\|streaming-playlists)/ {	194	location ~ ^/static/(webseed\|redundancy\|streaming-playlists)/ {
		195	limit_rate_after 5M;
		196
128	# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client	197	# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
129	set $peertube_limit_rate 800k;	198	set $peertube_limit_rate 800k;
130		199
131	# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections	200	# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
132	if ($request_uri ~ -fragmented.mp4$) {	201	if ($request_uri ~ -fragmented.mp4$) {
133	set $peertube_limit_rate 5000k;	202	set $peertube_limit_rate 5M;
134	}	203	}
135		204
136	# Use this with nginx >= 1.17.0	205	# Use this line with nginx >= 1.17.0
137	# limit_rate $peertube_limit_rate;	206	#limit_rate $peertube_limit_rate;
138	# Or this if your nginx < 1.17.0	207	# Or this line if your nginx < 1.17.0
139	set $limit_rate $peertube_limit_rate;	208	set $limit_rate $peertube_limit_rate;
140	limit_rate_after 5000k;
141		209
142	if ($request_method = 'OPTIONS') {	210	if ($request_method = 'OPTIONS') {
143	add_header 'Access-Control-Allow-Origin' '*';	211	add_header 'Access-Control-Allow-Origin' '*';
144	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';	212	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
145	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';	213	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
146	add_header 'Access-Control-Max-Age' 1728000;	214	add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
147	add_header 'Content-Type' 'text/plain charset=UTF-8';	215	add_header 'Content-Type' 'text/plain charset=UTF-8';
148	add_header 'Content-Length' 0;	216	add_header 'Content-Length' 0;
149	return 204;	217	return 204;
150	}	218	}
151		219
152	if ($request_method = 'GET') {	220	if ($request_method = 'GET') {
153	add_header 'Access-Control-Allow-Origin' '*';	221	add_header 'Access-Control-Allow-Origin' '*';
154	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';	222	add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
155	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';	223	add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
156		224
@@ -158,45 +226,21 @@ server {
158	access_log off;	226	access_log off;
159	}	227	}
160		228
161	root /var/www/peertube/storage;	229	# Enabling the sendfile directive eliminates the step of copying the data into the buffer
		230	# and enables direct copying data from one file descriptor to another.
		231	sendfile on;
		232	sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
		233	aio threads;
162		234
163	# Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage	235	# Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
164	# to serve files directly from a public bucket without proxying.	236	# to serve files directly from a public bucket without proxying.
165	# Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.	237	# Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
166	#set $cdn <your S3-compatiable bucket public url mounted via fuse>;	238	#set $cdn <your S3-compatiable bucket public url mounted via fuse>;
167	#rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;	239	#rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
168	#rewrite ^/static/redundancy/(.*)$ $cdn/redundancy/$1 redirect;	240	#rewrite ^/static/(.*)$ $cdn/$1 redirect;
169	#rewrite ^/static/streaming-playlists/(.*)$ $cdn/streaming-playlists/$1 redirect;
170
171	rewrite ^/static/webseed/(.*)$ /videos/$1 break;	241	rewrite ^/static/webseed/(.*)$ /videos/$1 break;
172	rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;	242	rewrite ^/static/(.*)$ /$1 break;
173	rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
174		243
175	try_files $uri /;	244	try_files $uri /;
176	}	245	}
177
178	# Websocket tracker
179	location /tracker/socket {
180	# Peers send a message to the tracker every 15 minutes
181	# Don't close the websocket before this time
182	proxy_read_timeout 1200s;
183	proxy_set_header Upgrade $http_upgrade;
184	proxy_set_header Connection "upgrade";
185	proxy_http_version 1.1;
186	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
187	proxy_set_header Host $host;
188	proxy_pass http://${PEERTUBE_HOST};
189	}
190
191	location /socket.io {
192	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
193	proxy_set_header Host $host;
194
195	proxy_pass http://${PEERTUBE_HOST};
196
197	# enable WebSockets
198	proxy_http_version 1.1;
199	proxy_set_header Upgrade $http_upgrade;
200	proxy_set_header Connection "upgrade";
201	}
202	}	246	}