1 files changed, 14 insertions, 8 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 6a076a8f8..1aa6108cc 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;
-  location /.well-known/acme-challenge/ { allow all; }
+  location /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
  location / { return 301 https://$host$request_uri; }
 }
@@ -15,12 +18,12 @@ server {
  listen [::]:443 ssl http2;
  server_name peertube.example.com;
-  # For example with Let's Encrypt (you need a certificate to run https)
+  # For example with certbot (you need a certificate to run https)
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  
  # Security hardening (as of 11/02/2018)
-  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
+  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
-  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
-  resolver_timeout 5s;
+  # Configure with your resolvers
+  # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  # resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    # For the video upload
+    # Hard limit, PeerTube does not support videos > 4GB
-    client_max_body_size 2G;
+    client_max_body_size 4G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;

diff --git a/support/nginx/peertube b/support/nginx/peertube index 6a076a8f8..1aa6108cc 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
6	access_log /var/log/nginx/peertube.example.com.access.log;	6	access_log /var/log/nginx/peertube.example.com.access.log;
7	error_log /var/log/nginx/peertube.example.com.error.log;	7	error_log /var/log/nginx/peertube.example.com.error.log;
8		8
9	location /.well-known/acme-challenge/ { allow all; }	9	location /.well-known/acme-challenge/ {
		10	default_type "text/plain";
		11	root /var/www/certbot;
		12	}
10	location / { return 301 https://$host$request_uri; }	13	location / { return 301 https://$host$request_uri; }
11	}	14	}
12		15
@@ -15,12 +18,12 @@ server {
15	listen [::]:443 ssl http2;	18	listen [::]:443 ssl http2;
16	server_name peertube.example.com;	19	server_name peertube.example.com;
17		20
18	# For example with Let's Encrypt (you need a certificate to run https)	21	# For example with certbot (you need a certificate to run https)
19	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;	22	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;	23	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21		24
22	# Security hardening (as of 11/02/2018)	25	# Security hardening (as of 11/02/2018)
23	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2	26	ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
24	ssl_prefer_server_ciphers on;	27	ssl_prefer_server_ciphers on;
25	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';	28	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
26	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0	29	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
29	ssl_session_tickets off; # Requires nginx >= 1.5.9	32	ssl_session_tickets off; # Requires nginx >= 1.5.9
30	ssl_stapling on; # Requires nginx >= 1.3.7	33	ssl_stapling on; # Requires nginx >= 1.3.7
31	ssl_stapling_verify on; # Requires nginx => 1.3.7	34	ssl_stapling_verify on; # Requires nginx => 1.3.7
32	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;	35
33	resolver_timeout 5s;	36	# Configure with your resolvers
		37	# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
		38	# resolver_timeout 5s;
		39
34	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";	40	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
35	add_header X-Frame-Options DENY;	41	add_header X-Frame-Options DENY;
36	add_header X-Content-Type-Options nosniff;	42	add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
63	proxy_set_header Host $host;	69	proxy_set_header Host $host;
64	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;	70	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
65		71
66	# For the video upload	72	# Hard limit, PeerTube does not support videos > 4GB
67	client_max_body_size 2G;	73	client_max_body_size 4G;
68	proxy_connect_timeout 600;	74	proxy_connect_timeout 600;
69	proxy_send_timeout 600;	75	proxy_send_timeout 600;
70	proxy_read_timeout 600;	76	proxy_read_timeout 600;