aboutsummaryrefslogtreecommitdiffhomepage
path: root/support/doc
diff options
context:
space:
mode:
Diffstat (limited to 'support/doc')
-rw-r--r--support/doc/production.md163
1 files changed, 12 insertions, 151 deletions
diff --git a/support/doc/production.md b/support/doc/production.md
index 06a51dedf..fc2bd460a 100644
--- a/support/doc/production.md
+++ b/support/doc/production.md
@@ -85,139 +85,24 @@ It should correspond to the paths of your storage directories (set in the config
85$ sudo vim /etc/nginx/sites-available/peertube 85$ sudo vim /etc/nginx/sites-available/peertube
86``` 86```
87 87
88Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)): 88Activate the configuration file:
89 89
90``` 90```
91server { 91$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
92 listen 80; 92```
93 listen [::]:80; 93
94 server_name peertube.example.com; 94To generate the certificate for your domain as required to make https work you can use [Let's Encrypt](https://letsencrypt.org/):
95 95
96 access_log /var/log/nginx/peertube.example.com.access.log; 96```
97 error_log /var/log/nginx/peertube.example.com.error.log; 97$ sudo systemctl stop nginx
98 98$ sudo certbot --authenticator standalone --installer nginx --post-hook "systemctl start nginx"
99 rewrite ^ https://$server_name$request_uri? permanent;
100}
101
102server {
103 listen 443 ssl http2;
104 listen [::]:443 ssl http2;
105 server_name peertube.example.com;
106
107 # For example with Let's Encrypt (you need a certificate to run https)
108 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
109 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
110
111 # Security hardening (as of 11/02/2018)
112 ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
113 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
114 ssl_prefer_server_ciphers on;
115 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
116 ssl_session_timeout 10m;
117 ssl_session_cache shared:SSL:10m;
118 ssl_session_tickets off; # Requires nginx >= 1.5.9
119 ssl_stapling on; # Requires nginx >= 1.3.7
120 ssl_stapling_verify on; # Requires nginx => 1.3.7
121 resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
122 resolver_timeout 5s;
123 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
124 add_header X-Frame-Options DENY;
125 add_header X-Content-Type-Options nosniff;
126 add_header X-XSS-Protection "1; mode=block";
127 add_header X-Robots-Tag none;
128
129 access_log /var/log/nginx/peertube.example.com.access.log;
130 error_log /var/log/nginx/peertube.example.com.error.log;
131
132 location ^~ '/.well-known/acme-challenge' {
133 default_type "text/plain";
134 root /var/www/certbot;
135 }
136
137 location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
138 add_header Cache-Control "public, max-age=31536000, immutable";
139
140 alias /var/www/peertube/peertube-latest/client/dist/$1;
141 }
142
143 location ~ ^/static/(thumbnails|avatars)/(.*)$ {
144 add_header Cache-Control "public, max-age=31536000, immutable";
145
146 alias /var/www/peertube/storage/$1/$2;
147 }
148
149 location / {
150 proxy_pass http://localhost:9000;
151 proxy_set_header X-Real-IP $remote_addr;
152 proxy_set_header Host $host;
153 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
154
155 # For the video upload
156 client_max_body_size 2G;
157 proxy_connect_timeout 600;
158 proxy_send_timeout 600;
159 proxy_read_timeout 600;
160 send_timeout 600;
161 }
162
163 # Bypass PeerTube webseed route for better performances
164 location /static/webseed {
165 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
166 limit_rate 800k;
167
168 if ($request_method = 'OPTIONS') {
169 add_header 'Access-Control-Allow-Origin' '*';
170 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
171 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
172 add_header 'Access-Control-Max-Age' 1728000;
173 add_header 'Content-Type' 'text/plain charset=UTF-8';
174 add_header 'Content-Length' 0;
175 return 204;
176 }
177
178 if ($request_method = 'GET') {
179 add_header 'Access-Control-Allow-Origin' '*';
180 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
181 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
182
183 # Don't spam access log file with byte range requests
184 access_log off;
185 }
186
187 alias /var/www/peertube/storage/videos;
188 }
189
190 # Websocket tracker
191 location /tracker/socket {
192 # Peers send a message to the tracker every 15 minutes
193 # Don't close the websocket before this time
194 proxy_read_timeout 1200s;
195 proxy_set_header Upgrade $http_upgrade;
196 proxy_set_header Connection "upgrade";
197 proxy_http_version 1.1;
198 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
199 proxy_set_header Host $host;
200 proxy_pass http://localhost:9000;
201 }
202}
203```
204
205To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
206
207```
208$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
209```
210
211```
212$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
213``` 99```
214 100
215Remember your certificate will expire in 90 days, and thus needs renewal. 101Remember your certificate will expire in 90 days, and thus needs renewal.
216 102
217Activate the configuration file: 103Now you have the certificates you can reload nginx:
218 104
219``` 105```
220$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
221$ sudo systemctl reload nginx 106$ sudo systemctl reload nginx
222``` 107```
223 108
@@ -235,30 +120,6 @@ Update the service file:
235$ sudo vim /etc/systemd/system/peertube.service 120$ sudo vim /etc/systemd/system/peertube.service
236``` 121```
237 122
238It should look like this:
239
240```
241[Unit]
242Description=PeerTube daemon
243After=network.target
244
245[Service]
246Type=simple
247Environment=NODE_ENV=production
248Environment=NODE_CONFIG_DIR=/var/www/peertube/config
249User=peertube
250Group=peertube
251ExecStart=/usr/bin/npm start
252WorkingDirectory=/var/www/peertube/peertube-latest
253StandardOutput=syslog
254StandardError=syslog
255SyslogIdentifier=peertube
256Restart=always
257
258[Install]
259WantedBy=multi-user.target
260```
261
262 123
263Tell systemd to reload its config: 124Tell systemd to reload its config:
264 125