Try to improve production guide
This commit is contained in:
parent
63ce5a54f2
commit
0b49571268
4 changed files with 31 additions and 162 deletions
|
@ -28,7 +28,7 @@
|
||||||
|
|
||||||
<footer class="row">
|
<footer class="row">
|
||||||
<a href="https://github.com/Chocobozzz/PeerTube" title="PeerTube on Github">PeerTube v{{ serverVersion }}</a> -
|
<a href="https://github.com/Chocobozzz/PeerTube" title="PeerTube on Github">PeerTube v{{ serverVersion }}</a> -
|
||||||
<a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2017</a>
|
<a href="https://github.com/Chocobozzz/PeerTube/blob/develop/LICENSE" title="PeerTube licence">CopyLeft 2015-2018</a>
|
||||||
</footer>
|
</footer>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -1,10 +1,12 @@
|
||||||
import * as request from 'supertest'
|
import * as request from 'supertest'
|
||||||
|
import * as urlUtil from 'url'
|
||||||
|
|
||||||
function getClient (url: string) {
|
function getClient (url: string) {
|
||||||
const path = '/api/v1/oauth-clients/local'
|
const path = '/api/v1/oauth-clients/local'
|
||||||
|
|
||||||
return request(url)
|
return request(url)
|
||||||
.get(path)
|
.get(path)
|
||||||
|
.set('Host', urlUtil.parse(url).host)
|
||||||
.set('Accept', 'application/json')
|
.set('Accept', 'application/json')
|
||||||
.expect(200)
|
.expect(200)
|
||||||
.expect('Content-Type', /json/)
|
.expect('Content-Type', /json/)
|
||||||
|
|
|
@ -85,139 +85,24 @@ It should correspond to the paths of your storage directories (set in the config
|
||||||
$ sudo vim /etc/nginx/sites-available/peertube
|
$ sudo vim /etc/nginx/sites-available/peertube
|
||||||
```
|
```
|
||||||
|
|
||||||
Your Mileage May Vary, but what follows is an example of configuration for nginx with a certificate made via `certbot` ([other utilities exist](https://letsencrypt.org/docs/client-options/)):
|
|
||||||
|
|
||||||
```
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
server_name peertube.example.com;
|
|
||||||
|
|
||||||
access_log /var/log/nginx/peertube.example.com.access.log;
|
|
||||||
error_log /var/log/nginx/peertube.example.com.error.log;
|
|
||||||
|
|
||||||
rewrite ^ https://$server_name$request_uri? permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
server_name peertube.example.com;
|
|
||||||
|
|
||||||
# For example with Let's Encrypt (you need a certificate to run https)
|
|
||||||
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
|
|
||||||
|
|
||||||
# Security hardening (as of 11/02/2018)
|
|
||||||
ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
|
||||||
ssl_stapling on; # Requires nginx >= 1.3.7
|
|
||||||
ssl_stapling_verify on; # Requires nginx => 1.3.7
|
|
||||||
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
|
||||||
resolver_timeout 5s;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Robots-Tag none;
|
|
||||||
|
|
||||||
access_log /var/log/nginx/peertube.example.com.access.log;
|
|
||||||
error_log /var/log/nginx/peertube.example.com.error.log;
|
|
||||||
|
|
||||||
location ^~ '/.well-known/acme-challenge' {
|
|
||||||
default_type "text/plain";
|
|
||||||
root /var/www/certbot;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
|
|
||||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
||||||
|
|
||||||
alias /var/www/peertube/peertube-latest/client/dist/$1;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/static/(thumbnails|avatars)/(.*)$ {
|
|
||||||
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
||||||
|
|
||||||
alias /var/www/peertube/storage/$1/$2;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://localhost:9000;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
# For the video upload
|
|
||||||
client_max_body_size 2G;
|
|
||||||
proxy_connect_timeout 600;
|
|
||||||
proxy_send_timeout 600;
|
|
||||||
proxy_read_timeout 600;
|
|
||||||
send_timeout 600;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Bypass PeerTube webseed route for better performances
|
|
||||||
location /static/webseed {
|
|
||||||
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
|
|
||||||
limit_rate 800k;
|
|
||||||
|
|
||||||
if ($request_method = 'OPTIONS') {
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
|
|
||||||
add_header 'Access-Control-Max-Age' 1728000;
|
|
||||||
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
|
||||||
add_header 'Content-Length' 0;
|
|
||||||
return 204;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($request_method = 'GET') {
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
|
|
||||||
|
|
||||||
# Don't spam access log file with byte range requests
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
|
|
||||||
alias /var/www/peertube/storage/videos;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Websocket tracker
|
|
||||||
location /tracker/socket {
|
|
||||||
# Peers send a message to the tracker every 15 minutes
|
|
||||||
# Don't close the websocket before this time
|
|
||||||
proxy_read_timeout 1200s;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_pass http://localhost:9000;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
To generate the certificate for your domain as required to make https work, you have two alternatives (note that the second command modifies itself the Nginx configuration to point the concerned server blocks to its certificate):
|
|
||||||
|
|
||||||
```
|
|
||||||
$ sudo certbot --authenticator standalone certonly -d peertube.example.com && nginx -t && systemctl reload nginx
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
$ sudo certbot --authenticator standalone --installer nginx --post-hook "nginx -t && systemctl reload nginx"
|
|
||||||
```
|
|
||||||
|
|
||||||
Remember your certificate will expire in 90 days, and thus needs renewal.
|
|
||||||
|
|
||||||
Activate the configuration file:
|
Activate the configuration file:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
|
$ sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
|
||||||
|
```
|
||||||
|
|
||||||
|
To generate the certificate for your domain as required to make https work you can use [Let's Encrypt](https://letsencrypt.org/):
|
||||||
|
|
||||||
|
```
|
||||||
|
$ sudo systemctl stop nginx
|
||||||
|
$ sudo certbot --authenticator standalone --installer nginx --post-hook "systemctl start nginx"
|
||||||
|
```
|
||||||
|
|
||||||
|
Remember your certificate will expire in 90 days, and thus needs renewal.
|
||||||
|
|
||||||
|
Now you have the certificates you can reload nginx:
|
||||||
|
|
||||||
|
```
|
||||||
$ sudo systemctl reload nginx
|
$ sudo systemctl reload nginx
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -235,30 +120,6 @@ Update the service file:
|
||||||
$ sudo vim /etc/systemd/system/peertube.service
|
$ sudo vim /etc/systemd/system/peertube.service
|
||||||
```
|
```
|
||||||
|
|
||||||
It should look like this:
|
|
||||||
|
|
||||||
```
|
|
||||||
[Unit]
|
|
||||||
Description=PeerTube daemon
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
Environment=NODE_ENV=production
|
|
||||||
Environment=NODE_CONFIG_DIR=/var/www/peertube/config
|
|
||||||
User=peertube
|
|
||||||
Group=peertube
|
|
||||||
ExecStart=/usr/bin/npm start
|
|
||||||
WorkingDirectory=/var/www/peertube/peertube-latest
|
|
||||||
StandardOutput=syslog
|
|
||||||
StandardError=syslog
|
|
||||||
SyslogIdentifier=peertube
|
|
||||||
Restart=always
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
Tell systemd to reload its config:
|
Tell systemd to reload its config:
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,10 @@ server {
|
||||||
access_log /var/log/nginx/peertube.example.com.access.log;
|
access_log /var/log/nginx/peertube.example.com.access.log;
|
||||||
error_log /var/log/nginx/peertube.example.com.error.log;
|
error_log /var/log/nginx/peertube.example.com.error.log;
|
||||||
|
|
||||||
location /.well-known/acme-challenge/ { allow all; }
|
location /.well-known/acme-challenge/ {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
location / { return 301 https://$host$request_uri; }
|
location / { return 301 https://$host$request_uri; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -15,12 +18,12 @@ server {
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name peertube.example.com;
|
server_name peertube.example.com;
|
||||||
|
|
||||||
# For example with Let's Encrypt (you need a certificate to run https)
|
# For example with certbot (you need a certificate to run https)
|
||||||
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
|
||||||
|
|
||||||
# Security hardening (as of 11/02/2018)
|
# Security hardening (as of 11/02/2018)
|
||||||
ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
|
ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
||||||
|
@ -29,8 +32,11 @@ server {
|
||||||
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
||||||
ssl_stapling on; # Requires nginx >= 1.3.7
|
ssl_stapling on; # Requires nginx >= 1.3.7
|
||||||
ssl_stapling_verify on; # Requires nginx => 1.3.7
|
ssl_stapling_verify on; # Requires nginx => 1.3.7
|
||||||
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
|
||||||
resolver_timeout 5s;
|
# Configure with your resolvers
|
||||||
|
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
||||||
|
# resolver_timeout 5s;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
@ -63,8 +69,8 @@ server {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
# For the video upload
|
# Hard limit, PeerTube does not support videos > 4GB
|
||||||
client_max_body_size 2G;
|
client_max_body_size 4G;
|
||||||
proxy_connect_timeout 600;
|
proxy_connect_timeout 600;
|
||||||
proxy_send_timeout 600;
|
proxy_send_timeout 600;
|
||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
|
|
Loading…
Reference in a new issue