diff options
Diffstat (limited to 'support/doc')
-rw-r--r-- | support/doc/production.md | 163 |
1 files changed, 12 insertions, 151 deletions
diff --git a/support/doc/production.md b/support/doc/production.md index 06a51dedf..fc2bd460a 100644 --- a/support/doc/production.md +++ b/support/doc/production.md | |||
@@ -85,139 +85,24 @@ It should correspond to the paths of your storage directories (set in the config | |||
85 | $ sudo vim /etc/nginx/sites-available/peertube | 85 | $ sudo vim /etc/nginx/sites-available/peertube |
86 | ``` | 86 | ``` |
87 | 87 | ||
88 | Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)): | 88 | Activate the configuration file: |
89 | 89 | ||
90 | ``` | 90 | ``` |
91 | server { | 91 | $ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube |
92 | listen 80; | 92 | ``` |
93 | listen [::]:80; | 93 | |
94 | server_name peertube.example.com; | 94 | To generate the certificate for your domain as required to make https work you can use [Let's Encrypt](https://letsencrypt.org/): |
95 | 95 | ||
96 | access_log /var/log/nginx/peertube.example.com.access.log; | 96 | ``` |
97 | error_log /var/log/nginx/peertube.example.com.error.log; | 97 | $ sudo systemctl stop nginx |
98 | 98 | $ sudo certbot --authenticator standalone --installer nginx --post-hook "systemctl start nginx" | |
99 | rewrite ^ https://$server_name$request_uri? permanent; | ||
100 | } | ||
101 | |||
102 | server { | ||
103 | listen 443 ssl http2; | ||
104 | listen [::]:443 ssl http2; | ||
105 | server_name peertube.example.com; | ||
106 | |||
107 | # For example with Let's Encrypt (you need a certificate to run https) | ||
108 | ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem; | ||
109 | ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem; | ||
110 | |||
111 | # Security hardening (as of 11/02/2018) | ||
112 | ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2 | ||
113 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
114 | ssl_prefer_server_ciphers on; | ||
115 | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
116 | ssl_session_timeout 10m; | ||
117 | ssl_session_cache shared:SSL:10m; | ||
118 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
119 | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
120 | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
121 | resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | ||
122 | resolver_timeout 5s; | ||
123 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | ||
124 | add_header X-Frame-Options DENY; | ||
125 | add_header X-Content-Type-Options nosniff; | ||
126 | add_header X-XSS-Protection "1; mode=block"; | ||
127 | add_header X-Robots-Tag none; | ||
128 | |||
129 | access_log /var/log/nginx/peertube.example.com.access.log; | ||
130 | error_log /var/log/nginx/peertube.example.com.error.log; | ||
131 | |||
132 | location ^~ '/.well-known/acme-challenge' { | ||
133 | default_type "text/plain"; | ||
134 | root /var/www/certbot; | ||
135 | } | ||
136 | |||
137 | location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ { | ||
138 | add_header Cache-Control "public, max-age=31536000, immutable"; | ||
139 | |||
140 | alias /var/www/peertube/peertube-latest/client/dist/$1; | ||
141 | } | ||
142 | |||
143 | location ~ ^/static/(thumbnails|avatars)/(.*)$ { | ||
144 | add_header Cache-Control "public, max-age=31536000, immutable"; | ||
145 | |||
146 | alias /var/www/peertube/storage/$1/$2; | ||
147 | } | ||
148 | |||
149 | location / { | ||
150 | proxy_pass http://localhost:9000; | ||
151 | proxy_set_header X-Real-IP $remote_addr; | ||
152 | proxy_set_header Host $host; | ||
153 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
154 | |||
155 | # For the video upload | ||
156 | client_max_body_size 2G; | ||
157 | proxy_connect_timeout 600; | ||
158 | proxy_send_timeout 600; | ||
159 | proxy_read_timeout 600; | ||
160 | send_timeout 600; | ||
161 | } | ||
162 | |||
163 | # Bypass PeerTube webseed route for better performances | ||
164 | location /static/webseed { | ||
165 | # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | ||
166 | limit_rate 800k; | ||
167 | |||
168 | if ($request_method = 'OPTIONS') { | ||
169 | add_header 'Access-Control-Allow-Origin' '*'; | ||
170 | add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; | ||
171 | add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | ||
172 | add_header 'Access-Control-Max-Age' 1728000; | ||
173 | add_header 'Content-Type' 'text/plain charset=UTF-8'; | ||
174 | add_header 'Content-Length' 0; | ||
175 | return 204; | ||
176 | } | ||
177 | |||
178 | if ($request_method = 'GET') { | ||
179 | add_header 'Access-Control-Allow-Origin' '*'; | ||
180 | add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; | ||
181 | add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | ||
182 | |||
183 | # Don't spam access log file with byte range requests | ||
184 | access_log off; | ||
185 | } | ||
186 | |||
187 | alias /var/www/peertube/storage/videos; | ||
188 | } | ||
189 | |||
190 | # Websocket tracker | ||
191 | location /tracker/socket { | ||
192 | # Peers send a message to the tracker every 15 minutes | ||
193 | # Don't close the websocket before this time | ||
194 | proxy_read_timeout 1200s; | ||
195 | proxy_set_header Upgrade $http_upgrade; | ||
196 | proxy_set_header Connection "upgrade"; | ||
197 | proxy_http_version 1.1; | ||
198 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
199 | proxy_set_header Host $host; | ||
200 | proxy_pass http://localhost:9000; | ||
201 | } | ||
202 | } | ||
203 | ``` | ||
204 | |||
205 | To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate): | ||
206 | |||
207 | ``` | ||
208 | $ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx | ||
209 | ``` | ||
210 | |||
211 | ``` | ||
212 | $ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx" | ||
213 | ``` | 99 | ``` |
214 | 100 | ||
215 | Remember your certificate will expire in 90 days, and thus needs renewal. | 101 | Remember your certificate will expire in 90 days, and thus needs renewal. |
216 | 102 | ||
217 | Activate the configuration file: | 103 | Now you have the certificates you can reload nginx: |
218 | 104 | ||
219 | ``` | 105 | ``` |
220 | $ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube | ||
221 | $ sudo systemctl reload nginx | 106 | $ sudo systemctl reload nginx |
222 | ``` | 107 | ``` |
223 | 108 | ||
@@ -235,30 +120,6 @@ Update the service file: | |||
235 | $ sudo vim /etc/systemd/system/peertube.service | 120 | $ sudo vim /etc/systemd/system/peertube.service |
236 | ``` | 121 | ``` |
237 | 122 | ||
238 | It should look like this: | ||
239 | |||
240 | ``` | ||
241 | [Unit] | ||
242 | Description=PeerTube daemon | ||
243 | After=network.target | ||
244 | |||
245 | [Service] | ||
246 | Type=simple | ||
247 | Environment=NODE_ENV=production | ||
248 | Environment=NODE_CONFIG_DIR=/var/www/peertube/config | ||
249 | User=peertube | ||
250 | Group=peertube | ||
251 | ExecStart=/usr/bin/npm start | ||
252 | WorkingDirectory=/var/www/peertube/peertube-latest | ||
253 | StandardOutput=syslog | ||
254 | StandardError=syslog | ||
255 | SyslogIdentifier=peertube | ||
256 | Restart=always | ||
257 | |||
258 | [Install] | ||
259 | WantedBy=multi-user.target | ||
260 | ``` | ||
261 | |||
262 | 123 | ||
263 | Tell systemd to reload its config: | 124 | Tell systemd to reload its config: |
264 | 125 | ||