1 files changed, 37 insertions, 14 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index 5261cddb4..6a076a8f8 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,10 +1,10 @@
 server {
  listen 80;
-  # listen [::]:80;
+  listen [::]:80;
-  server_name domain.tld;
+  server_name peertube.example.com;
-  access_log /var/log/nginx/peertube_access.log;
+  access_log /var/log/nginx/peertube.example.com.access.log;
-  error_log /var/log/nginx/peertube_error.log;
+  error_log /var/log/nginx/peertube.example.com.error.log;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
@@ -12,16 +12,38 @@ server {
 server {
  listen 443 ssl http2;
-  # listen [::]:443 ssl http2;
+  listen [::]:443 ssl http2;
-  server_name domain.tld;
+  server_name peertube.example.com;
-  access_log /var/log/nginx/peertube_access.log;
+  # For example with Let's Encrypt (you need a certificate to run https)
-  error_log /var/log/nginx/peertube_error.log;
+  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  # For example with Let's Encrypt
+  
-  ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
+  # Security hardening (as of 11/02/2018)
-  ssl_certificate_key  /etc/letsencrypt/live/domain.tld/privkey.pem;
+  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
-  ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+  ssl_session_timeout  10m;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off; # Requires nginx >= 1.5.9
+  ssl_stapling on; # Requires nginx >= 1.3.7
+  ssl_stapling_verify on; # Requires nginx => 1.3.7
+  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  resolver_timeout 5s;
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  
+  access_log /var/log/nginx/peertube.example.com.access.log;
+  error_log /var/log/nginx/peertube.example.com.error.log;
+  location ^~ '/.well-known/acme-challenge' {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";
@@ -46,6 +68,7 @@ server {
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
+    send_timeout                600;
  }
  # Bypass PeerTube webseed route for better performances

diff --git a/support/nginx/peertube b/support/nginx/peertube index 5261cddb4..6a076a8f8 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -1,10 +1,10 @@
1	server {	1	server {
2	listen 80;	2	listen 80;
3	# listen [::]:80;	3	listen [::]:80;
4	server_name domain.tld;	4	server_name peertube.example.com;
5		5
6	access_log /var/log/nginx/peertube_access.log;	6	access_log /var/log/nginx/peertube.example.com.access.log;
7	error_log /var/log/nginx/peertube_error.log;	7	error_log /var/log/nginx/peertube.example.com.error.log;
8		8
9	location /.well-known/acme-challenge/ { allow all; }	9	location /.well-known/acme-challenge/ { allow all; }
10	location / { return 301 https://$host$request_uri; }	10	location / { return 301 https://$host$request_uri; }
@@ -12,16 +12,38 @@ server {
12		12
13	server {	13	server {
14	listen 443 ssl http2;	14	listen 443 ssl http2;
15	# listen [::]:443 ssl http2;	15	listen [::]:443 ssl http2;
16	server_name domain.tld;	16	server_name peertube.example.com;
17		17
18	access_log /var/log/nginx/peertube_access.log;	18	# For example with Let's Encrypt (you need a certificate to run https)
19	error_log /var/log/nginx/peertube_error.log;	19	ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
20		20	ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
21	# For example with Let's Encrypt	21
22	ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;	22	# Security hardening (as of 11/02/2018)
23	ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;	23	ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
24	ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;	24	ssl_prefer_server_ciphers on;
		25	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
		26	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
		27	ssl_session_timeout 10m;
		28	ssl_session_cache shared:SSL:10m;
		29	ssl_session_tickets off; # Requires nginx >= 1.5.9
		30	ssl_stapling on; # Requires nginx >= 1.3.7
		31	ssl_stapling_verify on; # Requires nginx => 1.3.7
		32	resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
		33	resolver_timeout 5s;
		34	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
		35	add_header X-Frame-Options DENY;
		36	add_header X-Content-Type-Options nosniff;
		37	add_header X-XSS-Protection "1; mode=block";
		38	add_header X-Robots-Tag none;
		39
		40	access_log /var/log/nginx/peertube.example.com.access.log;
		41	error_log /var/log/nginx/peertube.example.com.error.log;
		42
		43	location ^~ '/.well-known/acme-challenge' {
		44	default_type "text/plain";
		45	root /var/www/certbot;
		46	}
25		47
26	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {	48	location ~ ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ {
27	add_header Cache-Control "public, max-age=31536000, immutable";	49	add_header Cache-Control "public, max-age=31536000, immutable";
@@ -46,6 +68,7 @@ server {
46	proxy_connect_timeout 600;	68	proxy_connect_timeout 600;
47	proxy_send_timeout 600;	69	proxy_send_timeout 600;
48	proxy_read_timeout 600;	70	proxy_read_timeout 600;
		71	send_timeout 600;
49	}	72	}
50		73
51	# Bypass PeerTube webseed route for better performances	74	# Bypass PeerTube webseed route for better performances