aboutsummaryrefslogtreecommitdiffhomepage
path: root/support/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'support/nginx')
-rw-r--r--support/nginx/peertube276
1 files changed, 160 insertions, 116 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index e58659030..25c786a86 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -1,3 +1,5 @@
1# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
2
1# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose. 3# Uncomment in production to redirect HTTP to HTTPS. Leave commented for docker-compose.
2#server { 4#server {
3# listen 80; 5# listen 80;
@@ -11,146 +13,212 @@
11# location / { return 301 https://$host$request_uri; } 13# location / { return 301 https://$host$request_uri; }
12#} 14#}
13 15
16upstream backend {
17 server ${PEERTUBE_HOST};
18}
19
14server { 20server {
15 listen 443 ssl http2; 21 listen 443 ssl http2;
16 listen [::]:443 ssl http2; 22 listen [::]:443 ssl http2;
17 server_name ${WEBSERVER_HOST}; 23 server_name ${WEBSERVER_HOST};
18 24
19 # For example with certbot (you need a certificate to run https) 25 access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
20 ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem; 26 error_log /var/log/nginx/peertube.error.log;
21 ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem; 27
28 ##
29 # Certificates
30 # you need a certificate to run in production. see https://letsencrypt.org/
31 ##
32 ssl_certificate /etc/letsencrypt/live/peertube/fullchain.pem;
33 ssl_certificate_key /etc/letsencrypt/live/peertube/privkey.pem;
34
35 location ^~ '/.well-known/acme-challenge' {
36 default_type "text/plain";
37 root /var/www/certbot;
38 }
39
40 ##
41 # Security hardening (as of Nov 15, 2020)
42 # based on Mozilla Guideline v5.6
43 ##
22 44
23 # Security hardening (as of 11/02/2018) 45 ssl_protocols TLSv1.2 TLSv1.3;
24 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
25 ssl_prefer_server_ciphers on; 46 ssl_prefer_server_ciphers on;
26 # Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4 47 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
27 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA'; 48 ssl_session_timeout 1d; # defaults to 5m
28 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script 49 ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
29 ssl_session_timeout 10m; 50 ssl_session_tickets off;
30 ssl_session_cache shared:SSL:10m; 51 ssl_stapling on;
31 ssl_session_tickets off; # Requires nginx >= 1.5.9 52 ssl_stapling_verify on;
32 ssl_stapling on; # Requires nginx >= 1.3.7
33 ssl_stapling_verify on; # Requires nginx => 1.3.7
34 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives 53 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
35 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; 54 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
36 55
37 # Configure with your resolvers 56 ##
38 # resolver $DNS-IP-1 $DNS-IP-2 valid=300s; 57 # Application
39 # resolver_timeout 5s; 58 ##
40 59
41 # Enable compression for JS/CSS/HTML bundle, for improved client load times. 60 location / {
42 # It might be nice to compress JSON, but leaving that out to protect against potential 61 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43 # compression+encryption information leak attacks like BREACH. 62 proxy_set_header Host $host;
44 gzip on; 63 proxy_set_header X-Real-IP $remote_addr;
45 gzip_types text/css application/javascript;
46 gzip_vary on;
47 64
48 # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place 65 # This is the maximum upload size, which roughly matches the maximum size of a video file
49 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path 66 # you can send via the API or the web interface. By default this is 8GB, but administrators
50 # client_body_temp_path /var/www/peertube/storage/nginx/; 67 # can increase or decrease the limit. Currently there's no way to communicate this limit
68 # to users automatically, so you may want to leave a note in your instance 'about' page if
69 # you change this.
70 #
71 # Note that temporary space is needed equal to the total size of all concurrent uploads.
72 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
73 # on a dedicated filesystem.
74 client_max_body_size 8G;
51 75
52 access_log /var/log/nginx/${WEBSERVER_HOST}.access.log; 76 proxy_connect_timeout 600s;
53 error_log /var/log/nginx/${WEBSERVER_HOST}.error.log; 77 proxy_send_timeout 600s;
78 proxy_read_timeout 600s;
79 send_timeout 600s;
54 80
55 location ^~ '/.well-known/acme-challenge' { 81 proxy_pass http://backend;
56 default_type "text/plain"; 82 }
57 root /var/www/certbot; 83
84 ##
85 # Websocket
86 ##
87
88 location /tracker/socket {
89 proxy_http_version 1.1;
90 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
91 proxy_set_header Host $host;
92 proxy_set_header X-Real-IP $remote_addr;
93 proxy_set_header Upgrade $http_upgrade;
94 proxy_set_header Connection "upgrade";
95
96 # Peers send a message to the tracker every 15 minutes
97 # Don't close the websocket before then
98 proxy_read_timeout 1200s; # default is 60s
99
100 proxy_pass http://backend;
101 }
102
103 location /socket.io {
104 proxy_http_version 1.1;
105 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
106 proxy_set_header Host $host;
107 proxy_set_header X-Real-IP $remote_addr;
108 proxy_set_header Upgrade $http_upgrade;
109 proxy_set_header Connection "upgrade";
110
111 proxy_pass http://backend;
58 } 112 }
59 113
114 ##
115 # Performance optimizations
116 # For extra performance please refer to https://github.com/denji/nginx-tuning
117 ##
118
119 root /var/www/peertube/storage;
120
121 # Enable compression for JS/CSS/HTML, for improved client load times.
122 # It might be nice to compress JSON/XML as returned by the API, but
123 # leaving that out to protect against potential BREACH attack.
124 gzip on;
125 gzip_vary on;
126 gzip_types # text/html is always compressed by HttpGzipModule
127 text/css
128 application/javascript
129 font/truetype
130 font/opentype
131 application/vnd.ms-fontobject
132 image/svg+xml;
133 gzip_min_length 1000; # default is 20 bytes
134 gzip_buffers 16 8k;
135 gzip_comp_level 2; # default is 1
136
137 client_body_timeout 30s; # default is 60
138 client_header_timeout 10s; # default is 60
139 send_timeout 10s; # default is 60
140 keepalive_timeout 10s; # default is 75
141 resolver_timeout 10s; # default is 30
142 reset_timedout_connection on;
143
144 tcp_nopush on; # send headers in one piece
145 tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
146
147 open_file_cache max=2000 inactive=5m; # default is no cache
148 open_file_cache_valid 2m; # default is 60s
149 open_file_cache_min_uses 2; # default is 1
150 open_file_cache_errors on;
151
152 # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
153 # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
154 #client_body_temp_path /var/www/peertube/storage/nginx/;
155
60 # Bypass PeerTube for performance reasons. Could be removed 156 # Bypass PeerTube for performance reasons. Could be removed
61 # Should be consistent with client-overrides assets list in /server/controllers/client.ts 157 # Should be consistent with client-overrides assets list in /server/controllers/client.ts
62 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ { 158 location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ {
63 add_header Cache-Control "public, max-age=31536000, immutable"; 159 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
64
65 root /var/www/peertube/storage/client-overrides;
66 160
67 try_files /$1 $uri; 161 try_files /client-overrides/$1 $uri;
68 } 162 }
69 163
70 # Bypass PeerTube for performance reasons. Could be removed 164 # Bypass PeerTube for performance reasons. Optional.
71 location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ { 165 location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
72 add_header Cache-Control "public, max-age=31536000, immutable"; 166 add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
73 167
74 alias /var/www/peertube/peertube-latest/client/dist/$1; 168 alias /var/www/peertube/peertube-latest/client/dist/$1;
75 } 169 }
76 170
77 # Bypass PeerTube for performance reasons. Could be removed 171 # Bypass PeerTube for performance reasons. Optional.
78 location ~ ^/static/(thumbnails|avatars)/ { 172 location ~ ^/static/(thumbnails|avatars)/ {
79 if ($request_method = 'OPTIONS') { 173 if ($request_method = 'OPTIONS') {
80 add_header 'Access-Control-Allow-Origin' '*'; 174 add_header 'Access-Control-Allow-Origin' '*';
81 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 175 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
82 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 176 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
83 add_header 'Access-Control-Max-Age' 1728000; 177 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
84 add_header 'Content-Type' 'text/plain charset=UTF-8'; 178 add_header 'Content-Type' 'text/plain charset=UTF-8';
85 add_header 'Content-Length' 0; 179 add_header 'Content-Length' 0;
86 return 204; 180 return 204;
87 } 181 }
88 182
89 add_header 'Access-Control-Allow-Origin' '*'; 183 add_header 'Access-Control-Allow-Origin' '*';
90 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 184 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
91 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 185 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
92 186 add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours
93 # Cache 2 hours
94 add_header Cache-Control "public, max-age=7200";
95 187
96 root /var/www/peertube/storage; 188 rewrite ^/static/(.*)$ /$1 break;
97 189
98 rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
99 try_files $uri /; 190 try_files $uri /;
100 } 191 }
101 192
102 location / { 193 # Bypass PeerTube for performance reasons. Optional.
103 proxy_pass http://${PEERTUBE_HOST};
104 proxy_set_header X-Real-IP $remote_addr;
105 proxy_set_header Host $host;
106 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
107
108 # This is the maximum upload size, which roughly matches the maximum size of a video file
109 # you can send via the API or the web interface. By default this is 8GB, but administrators
110 # can increase or decrease the limit. Currently there's no way to communicate this limit
111 # to users automatically, so you may want to leave a note in your instance 'about' page if
112 # you change this.
113 #
114 # Note that temporary space is needed equal to the total size of all concurrent uploads.
115 # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
116 # on a dedicated filesystem.
117 #
118 client_max_body_size 8G;
119
120 proxy_connect_timeout 600;
121 proxy_send_timeout 600;
122 proxy_read_timeout 600;
123 send_timeout 600;
124 }
125
126 # Bypass PeerTube for performance reasons. Could be removed
127 location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { 194 location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
195 limit_rate_after 5M;
196
128 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client 197 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
129 set $peertube_limit_rate 800k; 198 set $peertube_limit_rate 800k;
130 199
131 # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections 200 # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
132 if ($request_uri ~ -fragmented.mp4$) { 201 if ($request_uri ~ -fragmented.mp4$) {
133 set $peertube_limit_rate 5000k; 202 set $peertube_limit_rate 5M;
134 } 203 }
135 204
136 # Use this with nginx >= 1.17.0 205 # Use this line with nginx >= 1.17.0
137 # limit_rate $peertube_limit_rate; 206 #limit_rate $peertube_limit_rate;
138 # Or this if your nginx < 1.17.0 207 # Or this line if your nginx < 1.17.0
139 set $limit_rate $peertube_limit_rate; 208 set $limit_rate $peertube_limit_rate;
140 limit_rate_after 5000k;
141 209
142 if ($request_method = 'OPTIONS') { 210 if ($request_method = 'OPTIONS') {
143 add_header 'Access-Control-Allow-Origin' '*'; 211 add_header 'Access-Control-Allow-Origin' '*';
144 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 212 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
145 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 213 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
146 add_header 'Access-Control-Max-Age' 1728000; 214 add_header 'Access-Control-Max-Age' 1728000; # Preflight request can be cached 20 days
147 add_header 'Content-Type' 'text/plain charset=UTF-8'; 215 add_header 'Content-Type' 'text/plain charset=UTF-8';
148 add_header 'Content-Length' 0; 216 add_header 'Content-Length' 0;
149 return 204; 217 return 204;
150 } 218 }
151 219
152 if ($request_method = 'GET') { 220 if ($request_method = 'GET') {
153 add_header 'Access-Control-Allow-Origin' '*'; 221 add_header 'Access-Control-Allow-Origin' '*';
154 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; 222 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
155 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; 223 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
156 224
@@ -158,45 +226,21 @@ server {
158 access_log off; 226 access_log off;
159 } 227 }
160 228
161 root /var/www/peertube/storage; 229 # Enabling the sendfile directive eliminates the step of copying the data into the buffer
230 # and enables direct copying data from one file descriptor to another.
231 sendfile on;
232 sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
233 aio threads;
162 234
163 # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage 235 # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/#/admin-remote-storage
164 # to serve files directly from a public bucket without proxying. 236 # to serve files directly from a public bucket without proxying.
165 # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc. 237 # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc.
166 #set $cdn <your S3-compatiable bucket public url mounted via fuse>; 238 #set $cdn <your S3-compatiable bucket public url mounted via fuse>;
167 #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect; 239 #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect;
168 #rewrite ^/static/redundancy/(.*)$ $cdn/redundancy/$1 redirect; 240 #rewrite ^/static/(.*)$ $cdn/$1 redirect;
169 #rewrite ^/static/streaming-playlists/(.*)$ $cdn/streaming-playlists/$1 redirect;
170
171 rewrite ^/static/webseed/(.*)$ /videos/$1 break; 241 rewrite ^/static/webseed/(.*)$ /videos/$1 break;
172 rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break; 242 rewrite ^/static/(.*)$ /$1 break;
173 rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;
174 243
175 try_files $uri /; 244 try_files $uri /;
176 } 245 }
177
178 # Websocket tracker
179 location /tracker/socket {
180 # Peers send a message to the tracker every 15 minutes
181 # Don't close the websocket before this time
182 proxy_read_timeout 1200s;
183 proxy_set_header Upgrade $http_upgrade;
184 proxy_set_header Connection "upgrade";
185 proxy_http_version 1.1;
186 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
187 proxy_set_header Host $host;
188 proxy_pass http://${PEERTUBE_HOST};
189 }
190
191 location /socket.io {
192 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
193 proxy_set_header Host $host;
194
195 proxy_pass http://${PEERTUBE_HOST};
196
197 # enable WebSockets
198 proxy_http_version 1.1;
199 proxy_set_header Upgrade $http_upgrade;
200 proxy_set_header Connection "upgrade";
201 }
202} 246}