-
-
Save ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c to your computer and use it in GitHub Desktop.
Unofficial support of the last and updated httpd/Apache vhost to run PeerTube 5.x ONLY
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PeerTube Apache configuration version 24.6.29 (for PeerTube version 5.x only) | |
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)" | |
SSLSessionCacheTimeout 87400 | |
SSLStaplingCache shmcb:logs/stapling-cache(150000) | |
# Please check your Apache installation features the following modules via 'apachectl -M': | |
# STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module | |
# THIRD PARTY MODULES: None. | |
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security | |
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)" | |
SSLSessionCacheTimeout 87400 | |
SSLStaplingCache shmcb:logs/stapling-cache(150000) | |
ProxyPreserveHost On | |
ProxyRequests Off # (Note: turn it On if you are using a safe and secure reverse proxy) | |
<VirtualHost *:80 [::]:80> | |
Protocols h2c http/1.1 | |
ServerName peertube.example.com | |
ServerAdmin webmaster@example.com | |
ErrorLog "/var/log/httpd/[peertube.example.com].error.log" | |
CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog | |
RewriteEngine on | |
RewriteOptions inherit | |
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
RewriteCond %{HTTPS} off | |
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
<Directory "/var/www/certbot"> | |
Options None | |
AllowOverride None | |
ForceType text/plain | |
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
Require method GET POST OPTIONS | |
</Directory> | |
</VirtualHost> | |
<VirtualHost *:443 [::]:443> | |
Protocols h2 h2c http/1.1 TLSv1.2 TLSv1.3 http/1.0 | |
ProtocolsHonorOrder Off | |
ServerName example.com | |
ServerAlias peertube.example.com | |
SetEnv increaseTimeout false | |
RewriteEngine on | |
RewriteOptions inherit | |
CustomLog "/usr/local/apache/logs/peertube.access.log" common "env=!dontlog" | |
ErrorLog "/usr/local/apache/logs/example.com.error.log" | |
## | |
# Certificates | |
# you need a certificate to run in production. see https://letsencrypt.org/ | |
## | |
SSLEngine on | |
SSLProxyEngine on | |
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
## | |
# Security hardening (as of Nov 15, 2020) | |
# based on Mozilla Guideline v5.6 | |
## | |
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
# SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 | |
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
SSLHonorCipherOrder on | |
SSLSessionTickets off | |
SSLUseStapling on | |
Header set Strict-Transport-Security "max-age=8740000; includeSubDomains; preload" | |
Header set X-Content-Type-Options nosniff | |
Header set X-Robots-Tag none | |
Header set X-XSS-Protection "1; mode=block" | |
RequestHeader set Host expr=%{HTTP_HOST} | |
RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR} | |
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR} | |
## | |
# Application | |
## | |
LimitRequestBody 102400 | |
ProxyReceiveBufferSize 0 | |
KeepAliveTimeout 10 | |
ProxyTimeout 900 | |
ProxyIOBufferSize 1024 | |
ProxyIOBufferSize 1024 | |
ProxyReceiveBufferSize 8192 | |
<Location "/api/v1/videos/upload-resumable"> | |
LimitRequestBody 0 | |
</Location> | |
<LocationMatch "^/api/v1/videos/(upload|([^/]+/studio/edit))$"> | |
Require all granted | |
<LimitExcept POST HEAD> | |
Require all denied | |
</LimitExcept> | |
# This is the maximum upload size, which roughly matches the maximum size of a video file. | |
# Note that temporary space is needed equal to the total size of all concurrent uploads. | |
# You may want to put this directory on a dedicated filesystem. | |
LimitRequestBody 12884901888 | |
# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody) | |
Header set X-File-Maximum-Size 8G | |
</LocationMatch> | |
<LocationMatch "^/api/v1/runners/jobs/[^/]+/(update|success)$"> | |
LimitRequestBody 12884901888; | |
Header set X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) | |
</LocationMatch> | |
<LocationMatch "^/api/v1/(videos/*/views|video-playlists|video-channels|users/me|metrics)*$"> | |
LimitRequestBody 6291456 | |
# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody) | |
Header set X-File-Maximum-Size 4M | |
</LocationMatch> | |
## | |
# Performance optimizations | |
# Compression enabled automatically by filter_module | |
DocumentRoot /var/www/peertube | |
RequestReadTimeout body=30 header=10 | |
Options +FollowSymLinks -SymLinksIfOwnerMatch | |
Alias /client %{DOCUMENT_ROOT}/peertube-latest/client/dist | |
# http/2 tuning | |
H2Push on | |
H2PushPriority * after | |
H2PushPriority txt/css before | |
H2PushPriority image/jpeg after 32 | |
H2PushPriority image/png after 32 | |
H2PushPriority application/javascript interleaved | |
# Bypass PeerTube for performance reasons. Optional. | |
# Should be consistent with client-overrides assets list in /server/controllers/client.ts | |
<LocationMatch "^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$"> | |
# Cache 1 year | |
Header set Cache-Control "public, max-age=31536000, immutable" | |
RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L] | |
</LocationMatch> | |
# Bypass PeerTube for performance reasons. Optional. | |
<LocationMatch "^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$"> | |
Header set Cache-Control "public, max-age=31536000, immutable" | |
</LocationMatch> | |
# Bypass PeerTube for performance reasons. Optional. | |
<LocationMatch "^/static/(thumbnails|avatars)/"> | |
Header set Access-Control-Allow-Origin "*" | |
Header set Access-Control-Allow-Credentials "true" | |
Header set Access-Control-Allow-Headers "Retry-After" | |
Header set Access-Control-Allow-Methods "GET, OPTIONS" | |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" | |
<If "%{REQUEST_METHOD} == 'OPTIONS'"> | |
# Preflight request can be cached 20 days | |
Header set Access-Control-Max-Age 1728000 | |
Header set Content-Type "text/plain charset=UTF-8" | |
Header set Content-Length 0 | |
RedirectMatch 204 ^(.*)$ | |
</If> | |
# Cache response 2 hours | |
Header set Cache-Control "public, max-age=7200" | |
RewriteRule ^/static/(.*)$ /$1 [L] | |
</LocationMatch> | |
# Bypass PeerTube for performance reasons. Optional. | |
<LocationMatch "^/static/(webseed|redundancy|streaming-playlists)/"> | |
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
SetOutputFilter RATE_LIMIT | |
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections | |
<If "%{REQUEST_URI} =~ /^(.*)-fragmented.mp4$/"> | |
SetEnv rate-limit 5120 | |
SetEnv rate-limit-burst 6144 | |
</If> | |
<Else> | |
SetEnv rate-limit 832 | |
SetEnv rate-limit-burst 1024 | |
</Else> | |
<If "%{REQUEST_METHOD} == 'OPTIONS'"> | |
Header set Access-Control-Allow-Origin "*" | |
Header set Access-Control-Allow-Credentials "true" | |
Header set Access-Control-Allow-Headers "Retry-After" | |
Header set Access-Control-Allow-Methods "GET, OPTIONS" | |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" | |
# Preflight request can be cached 20 days | |
Header set Access-Control-Max-Age 1728000 | |
Header set Content-Type "text/plain charset=UTF-8" | |
Header set Content-Length 0 | |
RedirectMatch 204 ^(.*)$ | |
</If> | |
<If "%{REQUEST_METHOD} == 'GET'"> | |
Header set Access-Control-Allow-Origin "*" | |
Header set Access-Control-Allow-Credentials "true" | |
Header set Access-Control-Allow-Headers "Retry-After" | |
Header set Access-Control-Allow-Methods "GET, OPTIONS" | |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" | |
# Don't spam access log file with byte range requests | |
SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog | |
</If> | |
# Enabling the sendfile directive eliminates the step of copying the data into the buffer | |
# and enables direct copying data from one file descriptor to another. | |
# To disable if the folder is on a network filesystem like NFS or other. | |
EnableSendfile on | |
<If "%{REQUEST_URI} =~ /^\x2Fstatic\x2Fwebseed\x2F(.*)$/"> | |
Header set Cache-control "no-cache, no-store" | |
</If> | |
RewriteRule ^/static/webseed/(.*)$ /videos/$1 [L] | |
RewriteRule ^/static/(.*)$ /$1 [L] | |
</LocationMatch> | |
<LocationMatch "^(/static/(webseed|web-videos|streaming-playlists)/private/)|^/download"> | |
SetEnv rate-limit 5120 | |
SetEnv rate-limit-burst 6144 | |
</LocationMatch> | |
# Set Upgrade and Connection headers for WebSocket requests | |
<LocationMatch "^/(plugins/[^/]+(/[^/]+)?/ws/|socket.io/)"> | |
Header set Upgrade "websocket" | |
Header set Connection "Upgrade" | |
</LocationMatch> | |
# Normal HTTP requests | |
ProxyPass "/" "http://backend/" flushpackets=on keepalive=on enablereuse=on upgrade=websocket | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment