aboutsummaryrefslogtreecommitdiffhomepage
path: root/support/nginx
Commit message (Collapse)AuthorAgeFilesLines
* remove nginx fd caching, add module requirementsRigel Kent2020-11-181-5/+4
|
* fix internal redirection cycle whithin nginx client-override optimizationRigel Kent2020-11-171-1/+3
|
* refresh nginx config and optimize delivery (#3313)Rigel Kent2020-11-161-116/+160
| | | | | | | | | | | | | | | | | | | | | | | | refactors the Nginx configuration for the following points: - update tls version to include 1.3 by default. so far it was not included by default to make room for previous versions of Nginx, but since 2018 Debian stable has included Nginx in version 1.14.1, and tls 1.3 is available since Nginx 1.13.0. - clearly indicate that new minimum required version. - update outdated ssl_ciphers to remove cipher required to support android 4.4, since that version is unsupported since March 2020. - reordered configuration in sections for easier maintenance: performance optimizations are separated from the vital application/websocket parts. - move parts that always require manual configuration at the top: peertube host and server name, use server_name - move peertube host to a more flexible upstream block: it allows to configure it in one place instead of 3, and is future-proof regarding load-balancing. - simplified port 80 block: Let’s Encrypt supports 301 redirects. - group certificate-related config together. - remove reslover config: it defaults to /etc/resolv.conf which is more than enough. - align values with their neighbors for easier reading - always specify units - always specify default values when they differ from the values set - use ’m’ for minutes, ’M’ for megabytes - add consensual optimizations wrt file serving: - add timeout optimizations - add file descriptor cache optimizations - enable sendfile with chunk size > rate limit - enable threading - tcp optimizations - point to further, more system-specific optimizations in the section description - CDN configuration reduced to one line change
* add client overrides to nginx configuration (#3297)Kimsible2020-11-161-0/+10
| | | | Co-authored-by: Rigel Kent <par@rigelk.eu> Co-authored-by: kimsible <kimsible@users.noreply.github.com>
* Add nginx behind traefik in docker-compose + image updatesRigel Kent2020-11-111-22/+20
| | | | | | | | | | | - support/docker/production/docker-compose.yml: addition of a nginx image reusing support/nginx/peertube nginx conf to improve performance, and lessen setup differences between the docker-compose install and the typical production install. - support/docker/production/docker-compose.yml: postgres 10 -> postgres 12, redis 4 -> redis 5. Postgres major updates implies manual upgrade. - support/nginx/peertube: HTTP -> HTTPS redirection is now commented by default, to allow its reuse in support/docker/production/docker-compose.yml.
* Add Nginx configuration to redirect videos to an s3 bucketRigel Kent2020-03-091-0/+8
|
* Reword HSTS configuration to warn user of nginx's add_header shortcomingsRigel Kent2020-03-031-6/+2
|
* Update nginx cipher to the one we use on framatubeChocobozzz2019-12-171-1/+2
|
* Slightly relax Cipher Suite hardeningMarkus Richter2019-12-121-1/+1
| | | | This enables legacy software like apps on android 4.4.2 and matches the traefik configuration, where the specific cipher suite is already allowed.
* Fix nginx configChocobozzz2019-12-101-14/+13
| | | | CORS headers were removed. See https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
* Add streaming playlists endpoint in nginxChocobozzz2019-12-101-3/+16
|
* Add client_body_temp_path hint in nginx templateChocobozzz2019-12-051-0/+4
|
* Fix nginx template on dual stack serverChocobozzz2019-08-071-3/+3
| | | | See https://framacolibri.org/t/listen-to-unix-socket-instead-of-localhost-9000/5348
* Improve nginx client images cacheChocobozzz2019-07-291-1/+1
|
* Nginx config file: remove text/html from gzip_typesBenjamin Bouvier2019-02-111-1/+1
| | | As stated by https://nginx.org/en/docs/http/ngx_http_gzip_module.html, text/html is always part of the gzip_types. This removes a warning when checking the Nginx configuration files.
* Support socket.io in nginx templateChocobozzz2019-01-291-0/+12
|
* Remove hard-coded 8GB upload limit in client (#1293)Micah Elizabeth Scott2018-12-071-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | * Remove hard-coded 8GB upload limit in client Ideally we'd know what the specific server's configured upload limit is before starting, but this 8GB limit is not useful if an administrator has changed the nginx post limit on the server. * Better docs for admins about client_max_body_size Seems like some admins already tweak this value up or down to allow for different maximum video upload sizes. The current codebase has no other server-side limits that I'm aware of, and I've been routinely uploading quite large videos to my instance. This patch replaces the somewhat incorrect (or outdated?) 'hard limit' comment with some advice about allocating enough space for nginx and communicating the limit with your users. Of course it would be better if this configuration could be unified with PeerTube's config somehow. I'm not sure whether the best option there is to turn off nginx's buffering here and let PeerTube handle the entire upload (can we do this only for the video upload API endpoint?) or whether we want PeerTube to generate nginx configs in a more automated way layer. In any case, this patch is intended as an incremental improvement.
* Create redundancy endpointChocobozzz2018-12-041-2/+7
|
* Add comments in nginx regarding blocks that can be safely removedChocobozzz2018-09-171-1/+3
|
* Don't include `preload` flag in sample HSTS headerFelix Ableitner2018-09-111-1/+1
| | | | | This goes against the recommendations (preloading should be opt-in). Putting it in the example makes it likely that people enable it without knowing what it means. https://hstspreload.org/?domain=peertube.social#opt-in
* make HSTS opt-in and leave it to the reverse-proxyRigel Kent2018-09-091-1/+5
|
* Only enable gzip for HTML/CSS/JSMicah Elizabeth Scott2018-08-241-2/+4
| | | | | No compression on JSON endpoints, in order to protect from potential compression+encryption data leak attacks (like BREACH)
* Add gzip support to the sample nginx configurationMicah Elizabeth Scott2018-08-241-0/+5
| | | | | | | | | Without gzip explicitly enabled, load times suffer from transferring over a megabyte of plaintext javascript. With gzip enabled, the bundle is down to about 300K, and loads much faster. This change does not enable gzip on files that are already compressed, so images, fonts, and videos will be sent without the CPU overhead.
* 404 on unknown thumbnailChocobozzz2018-07-241-7/+8
|
* Add cors to static route in nginx templateChocobozzz2018-07-241-0/+16
|
* (nginx) remove headers now dealt with helmetRigel Kent2018-07-181-3/+0
|
* Fix static avatars/thumbnails cacheChocobozzz2018-07-171-1/+2
|
* Increase upload limit to 8GB (test)Chocobozzz2018-06-291-3/+3
|
* Revert "Selective route permission to use embeds, fixes #322 in a better way ↵Chocobozzz2018-03-201-6/+0
| | | | | (#364)" (#365) This reverts commit d40cd86bf56973d7217ad44737e3890b6e7f1ad5.
* Selective route permission to use embeds, fixes #322 in a better way (#364)Rigel Kent2018-03-201-0/+6
|
* Remove X-Frame options in nginx config (#322)Valvin2018-03-051-1/+0
| | | `X-Frame-Options DENY;` doesn't permit sharing using iframe
* Fix nginx configuration that do not work with import-videos scriptChocobozzz2018-03-011-1/+1
|
* Try to improve production guideChocobozzz2018-02-161-8/+14
|
* Precisions and security enhancements to the production guide (#287)Rigel Kent2018-02-141-14/+37
| | | | | | | | - added precisions and suggestions about how to generate Let's Encrypt certificates. Users have reported their installations didn't work when the problem came from missing certificates (false positives). - security defaults of Nginx follow the basic robustness principle "be conservative in what you send, be liberal in what you accept", which isn't enough with modern security standards, so we should be picky with the cipher suites we use, among other things. Extra comments (especially for the TLS1.3 protocol support parameter) make the requirement of a recent Nginx installation obvious, and the downgrade alternative remains clear to the system administrator. All in all, we should aknowledge users will most often copy and paste the configuration files. Making them secure by default may force a few users to read their configuration, but on the long run we are making the fediverse more secure. Since I've come to modify a bit the Nginx config in `support/doc/production.md`, I've merged it with the template so that they stay consistent.
* Peertube home in /var/www instead of /homeChocobozzz2018-01-231-3/+3
|
* Don't serve previews with nginxChocobozzz2018-01-181-1/+1
| | | | We need to maintain a cache in the node process
* nginx optimizationsChocobozzz2018-01-181-0/+21
|
* Update production guideChocobozzz2018-01-151-2/+4
| | | | | Use release that already contains build files. It requires a specific directories tree but I think it would be fine.
* Remove unused webserver configurationChocobozzz2018-01-112-53/+5
| | | | And update nginx configuration with a rate limit
* change nginx config to fix deprecation of a old module (#175)Fernandez, ReK22018-01-061-1/+1
|
* Add ability to unfollow a serverChocobozzz2017-11-272-0/+6
|
* Fix nginx https templateChocobozzz2017-10-191-1/+1
|
* Increase client_max_body_size in NGinx templateChocobozzz2017-10-172-2/+2
|
* Add peertube https nginx templateChocobozzz2016-11-251-0/+61
|
* Update NGinx template (uploads -> videos)Chocobozzz2016-10-261-1/+1
|
* Update NGinx that bypass /static/webseed (better performances)Chocobozzz2016-10-101-0/+21
|
* Add nginx example fileChocobozzz2016-06-031-0/+27