| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
- support/docker/production/docker-compose.yml: addition of a nginx
image reusing support/nginx/peertube nginx conf to improve performance,
and lessen setup differences between the docker-compose install and the
typical production install.
- support/docker/production/docker-compose.yml: postgres 10 -> postgres
12, redis 4 -> redis 5. Postgres major updates implies manual upgrade.
- support/nginx/peertube: HTTP -> HTTPS redirection is now commented
by default, to allow its reuse in support/docker/production/docker-compose.yml.
|
| |
|
| |
|
| |
|
|
|
|
| |
This enables legacy software like apps on android 4.4.2 and matches the traefik configuration, where the specific cipher suite is already allowed.
|
|
|
|
| |
CORS headers were removed. See https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
|
| |
|
| |
|
|
|
|
| |
See https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348
|
| |
|
|
|
| |
As stated by https://nginx.org/en/docs/http/ngx_http_gzip_module.html, text/html is always part of the gzip_types. This removes a warning when checking the Nginx configuration files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove hard-coded 8GB upload limit in client
Ideally we'd know what the specific server's configured upload limit
is before starting, but this 8GB limit is not useful if an administrator
has changed the nginx post limit on the server.
* Better docs for admins about client_max_body_size
Seems like some admins already tweak this value up or down to allow
for different maximum video upload sizes. The current codebase has no
other server-side limits that I'm aware of, and I've been routinely
uploading quite large videos to my instance.
This patch replaces the somewhat incorrect (or outdated?) 'hard limit'
comment with some advice about allocating enough space for nginx and
communicating the limit with your users.
Of course it would be better if this configuration could be unified with
PeerTube's config somehow. I'm not sure whether the best option there is
to turn off nginx's buffering here and let PeerTube handle the entire upload
(can we do this only for the video upload API endpoint?) or whether we want
PeerTube to generate nginx configs in a more automated way layer. In any case,
this patch is intended as an incremental improvement.
|
| |
|
| |
|
|
|
|
|
| |
This goes against the recommendations (preloading should be opt-in). Putting it in the example makes it likely that people enable it without knowing what it means.
https://hstspreload.org/?domain=peertube.social#opt-in
|
| |
|
|
|
|
|
| |
No compression on JSON endpoints, in order to protect
from potential compression+encryption data leak attacks (like BREACH)
|
|
|
|
|
|
|
|
|
| |
Without gzip explicitly enabled, load times suffer from transferring
over a megabyte of plaintext javascript. With gzip enabled, the bundle
is down to about 300K, and loads much faster.
This change does not enable gzip on files that are already compressed,
so images, fonts, and videos will be sent without the CPU overhead.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
(#364)" (#365)
This reverts commit d40cd86bf56973d7217ad44737e3890b6e7f1ad5.
|
| |
|
|
|
| |
`X-Frame-Options DENY;` doesn't permit sharing using iframe
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
- added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives).
- security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator.
All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure.
Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
|
| |
|
|
|
|
| |
We need to maintain a cache in the node process
|
| |
|
|
|
|
|
| |
Use release that already contains build files. It requires a specific
directories tree but I think it would be fine.
|
|
|
|
| |
And update nginx configuration with a rate limit
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|