Skip to content

Instantly share code, notes, and snippets.

@rigelk
Last active August 29, 2024 20:52
Show Gist options
  • Save rigelk/07a0b8963fa4fc1ad756374c28479bc7 to your computer and use it in GitHub Desktop.
Save rigelk/07a0b8963fa4fc1ad756374c28479bc7 to your computer and use it in GitHub Desktop.
a now OUTDATED httpd/Apache vhost to run PeerTube | note that only Nginx is supported by the PeerTube team, and with this or any other Apache configuration, you will likely get NO SUPPORT.
# requires WebSocket support with `a2enmod proxy_wstunnel`
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security
<VirtualHost *:80 [::]:80>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2c http/1.1
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Alias /.well-known/acme-challenge/ /var/www/certbot/
<Directory /var/www/certbot>
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
Require method GET POST OPTIONS
</Directory>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
<VirtualHost *:443 [::]:443>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2 http/1.1
SSLEngine on
# For example with certbot (you need a certificate to run https)
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
# Bypass PeerTube webseed route for better performances
Alias /static/webseed /var/www/peertube/storage/videos
<Location /static/webseed>
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 800
SetEnvIf Request_Method "GET" GETMETH=1
Header set Access-Control-Allow-Origin "*" env=GETMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
SetEnvIf GETMETH "1" dontlog
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
Header set Content-Length "0" env=OPTIONSMETH
</Location>
<Location /videos/embed>
Header unset X-Frame-Options
</Location>
ProxyPreserveHost On
ProxyTimeout 600
# Websocket tracker
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/ timeout=600
</Location>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
@WarpinWolf
Copy link

Thanks for providing the config! Works!

@ROBERT-MCDOWELL
Copy link

I would like to create a repo especially for peertube apache config respecting the default nginx peertube config.
who are intrested I start it please thumb up.

@M-Stenzel
Copy link

I would like to create a repo especially for peertube apache config respecting the default nginx peertube config. who are intrested I start it please thumb up.

I, for myself, installed both apache & nginx on the machine, and this works very well, with the help of a port (443) multiplexer

https://github.com/yrutschle/sslh

Martin.

@ROBERT-MCDOWELL
Copy link

@M-Stenzel
interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default

@ROBERT-MCDOWELL
Copy link

ROBERT-MCDOWELL commented Jul 24, 2022

Here is the full PeerTube apache ( >= 2.4.47) config which is the equivalent of
the nginx peertube default


# PeerTube Apache configuration version 24.6.29 (for PeerTube version 5.x only)

SSLSessionCache                 "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout    87400
SSLStaplingCache                shmcb:logs/stapling-cache(150000)

# Please check your Apache installation features the following modules via 'apachectl -M':
# STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module
# THIRD PARTY MODULES:   None.
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security

SSLSessionCache                 "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout    87400
SSLStaplingCache                shmcb:logs/stapling-cache(150000)
ProxyPreserveHost              On
ProxyRequests                    Off # (Note: turn it On if you are using a safe and secure reverse proxy)

<VirtualHost *:80 [::]:80>

	Protocols h2c http/1.1
	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	
	ErrorLog "/var/log/httpd/[peertube.example.com].error.log"
	CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog

	RewriteEngine on
	RewriteOptions inherit
	
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	Alias /.well-known/acme-challenge/ /var/www/certbot/
	<Directory "/var/www/certbot">
		Options None
		AllowOverride None
		ForceType text/plain
		RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
		Require method GET POST OPTIONS
	</Directory>
	
</VirtualHost>

<VirtualHost *:443 [::]:443>

	Protocols h2 h2c http/1.1 TLSv1.2 TLSv1.3 http/1.0
	ProtocolsHonorOrder Off

	ServerName example.com
	ServerAlias peertube.example.com
	
	SetEnv increaseTimeout false

	RewriteEngine on
	RewriteOptions inherit

	CustomLog	"/usr/local/apache/logs/peertube.access.log" common "env=!dontlog"
	ErrorLog	"/usr/local/apache/logs/example.com.error.log"

	##
	# Certificates
	# you need a certificate to run in production. see https://letsencrypt.org/
	##
	
	SSLEngine	on
	SSLProxyEngine	on
	SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
	
	##
	# Security hardening (as of Nov 15, 2020)
	# based on Mozilla Guideline v5.6
	##
	
	SSLProtocol             	all -SSLv3 -TLSv1 -TLSv1.1
	# SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
	SSLCipherSuite			ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	SSLHonorCipherOrder	on
	SSLSessionTickets		off
	SSLUseStapling		on

	Header set       Strict-Transport-Security "max-age=8740000; includeSubDomains; preload"
	Header set	X-Content-Type-Options nosniff
	Header set	X-Robots-Tag none
	Header set	X-XSS-Protection "1; mode=block"
	
	RequestHeader set Host expr=%{HTTP_HOST}
	RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR}
	RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}
	
	##
	# Application
	##

	LimitRequestBody		102400
	ProxyReceiveBufferSize	0
	KeepAliveTimeout		10
	ProxyTimeout		900
	ProxyIOBufferSize	1024
	ProxyIOBufferSize		1024
	ProxyReceiveBufferSize	8192
	
	<Location "/api/v1/videos/upload-resumable">
		LimitRequestBody	0
	</Location>

	<LocationMatch "^/api/v1/users/[^/]+/imports/import-resumable$">
		LimitRequestBody        0
	</LocationMatch>

	<LocationMatch "^/api/v1/videos/(upload|([^/]+/studio/edit))$">
		Require all granted
		<LimitExcept POST HEAD>
			Require all denied
		</LimitExcept>

		# This is the maximum upload size, which roughly matches the maximum size of a video file.
		# Note that temporary space is needed equal to the total size of all concurrent uploads.
		# You may want to put this directory on a dedicated filesystem.
		LimitRequestBody 12884901888
		# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
		Header set	X-File-Maximum-Size 8G
	</LocationMatch>
	
	<LocationMatch "^/api/v1/runners/jobs/[^/]+/(update|success)$">
		LimitRequestBody 12884901888;
		Header set	X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
	</LocationMatch>

	<LocationMatch "^/api/v1/(videos/*/views|video-playlists|video-channels|users/me|metrics)*$">
		LimitRequestBody 6291456
		# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
		Header set	X-File-Maximum-Size 4M
	</LocationMatch>
	
	##
	# Performance optimizations
	# Compression enabled automatically by filter_module
	DocumentRoot /var/www/peertube
	RequestReadTimeout body=30 header=10
	Options +FollowSymLinks -SymLinksIfOwnerMatch
	
	Alias /client %{DOCUMENT_ROOT}/peertube-latest/client/dist

	# http/2 tuning
	H2Push		on
	H2PushPriority	*			after
	H2PushPriority	txt/css			before
	H2PushPriority	image/jpeg		after		32
	H2PushPriority	image/png		after		32
	H2PushPriority	application/javascript	interleaved

	# Bypass PeerTube for performance reasons. Optional.
	# Should be consistent with client-overrides assets list in /server/controllers/client.ts
	<LocationMatch "^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$">
		# Cache 1 year
		Header set Cache-Control "public, max-age=31536000, immutable"
		RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$">
		Header set Cache-Control "public, max-age=31536000, immutable"
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/static/(thumbnails|avatars)/">
		Header set	Access-Control-Allow-Origin    "*"
                Header set       Access-Control-Allow-Credentials "true"
                Header set       Access-Control-Allow-Headers     "Retry-After"
		Header set	Access-Control-Allow-Methods   "GET, OPTIONS"
		Header set	Access-Control-Allow-Headers   "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

		<If "%{REQUEST_METHOD} == 'OPTIONS'">
			# Preflight request can be cached 20 days
			Header set	Access-Control-Max-Age       1728000
			Header set	Content-Type                 "text/plain charset=UTF-8"
			Header set	Content-Length               0
			RedirectMatch 204 ^(.*)$
		</If>

		# Cache response 2 hours
		Header set	Cache-Control                  "public, max-age=7200"

		RewriteRule ^/static/(.*)$ /$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/static/(webseed|redundancy|streaming-playlists)/">
		# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
		SetOutputFilter RATE_LIMIT

		# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
		<If "%{REQUEST_URI} =~ /^(.*)-fragmented.mp4$/">
			SetEnv rate-limit       5120
			SetEnv rate-limit-burst 6144
		</If>
		<Else>
			SetEnv rate-limit       832
			SetEnv rate-limit-burst 1024
		</Else>

		<If "%{REQUEST_METHOD} == 'OPTIONS'">
			Header set       Access-Control-Allow-Origin  "*"
                        Header set       Access-Control-Allow-Credentials "true"
                        Header set       Access-Control-Allow-Headers     "Retry-After"
			Header set       Access-Control-Allow-Methods "GET, OPTIONS"
			Header set       Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
			# Preflight request can be cached 20 days
			Header set       Access-Control-Max-Age       1728000
			Header set       Content-Type                 "text/plain charset=UTF-8"
			Header set       Content-Length               0
			RedirectMatch 204 ^(.*)$
		</If>

		<If "%{REQUEST_METHOD} == 'GET'">
			Header set       Access-Control-Allow-Origin  "*"
                        Header set       Access-Control-Allow-Credentials "true"
                        Header set       Access-Control-Allow-Headers     "Retry-After"
			Header set       Access-Control-Allow-Methods "GET, OPTIONS"
			Header set       Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

			# Don't spam access log file with byte range requests
			SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog
		</If>

		# Enabling the sendfile directive eliminates the step of copying the data into the buffer
		# and enables direct copying data from one file descriptor to another.
		# To disable if the folder is on a network filesystem like NFS or other.
		EnableSendfile on

		<If "%{REQUEST_URI} =~ /^\x2Fstatic\x2Fwebseed\x2F(.*)$/">
			Header set       Cache-control   "no-cache, no-store"
		</If>

		RewriteRule ^/static/webseed/(.*)$ /videos/$1 [L]
		RewriteRule ^/static/(.*)$ /$1 [L]
	</LocationMatch>

	<LocationMatch "^(/static/(webseed|web-videos|streaming-playlists)/private/)|^/download">
		SetEnv rate-limit       5120
		SetEnv rate-limit-burst 6144
	</LocationMatch>

	# Normal HTTP requests
	ProxyPass "/" "http://backend/" flushpackets=on keepalive=on enablereuse=on upgrade=websocket

</VirtualHost>

# PeerTube Apache configuration version 24.6.29 (for PeerTube version >= 6+ only)

SSLSessionCache			"shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout		87400
SSLStaplingCache		shmcb:logs/stapling-cache(150000)

# Please check your Apache installation features the following modules via 'apachectl -M':
# STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module
# THIRD PARTY MODULES:   None.
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security

SSLSessionCache			"shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout	87400
SSLStaplingCache		shmcb:logs/stapling-cache(150000)
ProxyPreserveHost		On
ProxyRequests			Off # (Note: turn it On if you are using a safe and secure reverse proxy)

<VirtualHost *:80 [::]:80>
	Protocols h2c http/1.1
	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	
	ErrorLog "/var/log/httpd/[peertube.example.com].error.log"
	CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog

	RewriteEngine on
	RewriteOptions inherit
	
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	Alias /.well-known/acme-challenge/ /var/www/certbot/
	<Directory "/var/www/certbot">
		Options None
		AllowOverride None
		ForceType text/plain
		RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
		Require method GET POST OPTIONS
	</Directory>
	
</VirtualHost>

<VirtualHost *:443 [::]:443>

	Protocols h2 h2c http/1.1 TLSv1.2 TLSv1.3 http/1.0

	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	
	RewriteEngine on
	RewriteOptions inherit
	
	CustomLog	"/usr/local/apache/logs/peertube.access.log" common "env=!dontlog"
	ErrorLog	"/usr/local/apache/logs/example.com.error.log"

	##
	# Certificates
	# you need a certificate to run in production. see https://letsencrypt.org/
	##
	
	SSLEngine	on
	SSLProxyEngine	on
	SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
	
	##
	# Security hardening (as of Nov 15, 2020)
	# based on Mozilla Guideline v5.6
	##

	SSLProtocol			 	all -SSLv3 -TLSv1 -TLSv1.1
	# SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
	SSLCipherSuite			ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	SSLHonorCipherOrder		on
	SSLSessionTickets		off
	SSLUseStapling			on

	Header set	Strict-Transport-Security "max-age=8740000; includeSubDomains; preload"
	Header set	X-Content-Type-Options nosniff
	Header set	X-Robots-Tag none
	Header set	X-XSS-Protection "1; mode=block"
	
	# Uncomment if you are using a revers proxy
	#RequestHeader set Host expr=%{HTTP_HOST}
	#RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR}
	#RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

	ErrorDocument 400 "Bad Request: The request could not be understood."
	ErrorDocument 401 "Unauthorized: Authentication is required."
	ErrorDocument 402 "Payment Required: Payment is needed to access this resource."
	ErrorDocument 403 "Forbidden: You don't have permission to access this resource."
	ErrorDocument 500 "Internal Server Error: Something went wrong on the server."
	
	##
	# Application
	##

	LimitRequestBody		102400
	ProxyReceiveBufferSize	0
	KeepAliveTimeout		10
	ProxyTimeout			900
	ProxyIOBufferSize		0
	
	<LocationMatch "^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$">
		LimitRequestBody	0
	</LocationMatch>

	<LocationMatch "^/api/v1/videos/(upload|([^/]+/studio/edit))$">
		Require all granted
		<LimitExcept POST HEAD>
			Require all denied
		</LimitExcept>
		# This is the maximum upload size, which roughly matches the maximum size of a video file.
		# Note that temporary space is needed equal to the total size of all concurrent uploads.
		# You may want to put this directory on a dedicated filesystem.
		LimitRequestBody 12884901888
		# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
		Header set	X-File-Maximum-Size 8G
	</LocationMatch>

	<LocationMatch "^/api/v1/runners/jobs/[^/]+/(update|success)$">
		LimitRequestBody 12884901888
		Header set X-File-Maximum-Size 8G
	</LocationMatch>

	<LocationMatch "^/api/v1/(videos|video-playlists|video-channels|users/me)">
		LimitRequestBody 6291456
		Header set	X-File-Maximum-Size 4M
	</LocationMatch>

	##
	# Performance optimizations
	# Compression enabled automatically by filter_module
	DocumentRoot /var/www/peertube
	RequestReadTimeout body=30 header=10
	Options +FollowSymLinks -SymLinksIfOwnerMatch
	
	Alias /client %{DOCUMENT_ROOT}/peertube-latest/client/dist

	# http/2 tuning
	H2Push		on
	H2PushPriority	*			after
	H2PushPriority	txt/css			before
	H2PushPriority	image/jpeg		after		32
	H2PushPriority	image/png		after		32
	H2PushPriority	application/javascript	interleaved

	# Bypass PeerTube for performance reasons. Optional.
	# Should be consistent with client-overrides assets list in /server/controllers/client.ts
	<LocationMatch "^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$">
		Header set Cache-Control "public, max-age=31536000, immutable"
		RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$">
		Header set Cache-Control "public, max-age=31536000, immutable"
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/static/(webseed|web-videos|redundancy|streaming-playlists)/">
		# Clients usually have 4 simultaneous connections, so the real limit is 3MB/s per client
		SetOutputFilter RATE_LIMIT

		# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
		<If "%{REQUEST_URI} =~ /^(.*)-fragmented.mp4$/">
			SetEnv rate-limit	   5120
			SetEnv rate-limit-burst 6144
		</If>
		<Else>
			SetEnv rate-limit	   832
			SetEnv rate-limit-burst 1024
		</Else>

		<If "%{REQUEST_METHOD} == 'OPTIONS'">
			Header set	   Access-Control-Allow-Origin	 "*"
			Header set	   Access-Control-Allow-Credentials "true"
			Header set	   Access-Control-Allow-Headers	 "Retry-After"
			Header set	   Access-Control-Allow-Methods "GET, OPTIONS"
			Header set	   Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
			# Preflight request can be cached 20 days
			Header set	   Access-Control-Max-Age	   1728000
			Header set	   Content-Type				 "text/plain charset=UTF-8"
			Header set	   Content-Length			   0
			RedirectMatch 204 ^(.*)$
		</If>

		<If "%{REQUEST_METHOD} == 'GET'">
			Header set	   Access-Control-Allow-Origin	 "*"
			Header set	   Access-Control-Allow-Credentials "true"
			Header set	   Access-Control-Allow-Headers	 "Retry-After"
			Header set	   Access-Control-Allow-Methods "GET, OPTIONS"
			Header set	   Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
			# Don't spam access log file with byte range requests
			SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog
		</If>

		# Enabling the sendfile directive eliminates the step of copying the data into the buffer
		# and enables direct copying data from one file descriptor to another.
		# To disable if the folder is on a network filesystem
		EnableSendfile off

		RewriteRule ^/static/webseed/(.*)$ /web-videos/$1 [L]
		RewriteRule ^/static/(.*)$		 /$1 [L]
	</LocationMatch>

	<LocationMatch "^(/static/(webseed|web-videos|streaming-playlists/hls)/private/)|^/download">
		SetEnv rate-limit	   5120
		SetEnv rate-limit-burst 6144
	</LocationMatch>

	# Normal HTTP requests
	ProxyPass "/" "http://backend/" enablereuse=on flushpackets=on keepalive=on upgrade=websocket
	ProxyPassReverse "/" "http://backend/"
	
</VirtualHost>

Pay attention that I'm often updating this config so please check time to time
or subscribe and follow its activity to my gist here
PeerTube v5: https://gist.github.com/ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c
PeerTube >= v6: https://gist.github.com/ROBERT-MCDOWELL/7a55548d51a82080270b3184cd27ed36

@Vertux
Copy link

Vertux commented Jul 24, 2022

@ROBERT-MCDOWELL

interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default

I agree, I prefer to keep things as simple as possible as well.

Attached the full apache config which is the closest of the nginx peertube default

Thank you

@Vertux
Copy link

Vertux commented Jan 6, 2023

	<Location "/">
		ProxyPas http://127.0.0.1:9000/ flushpackets=on keepalive=on enablereuse=on
		ProxyRequests off
	</Location>
</VirtualHost>

At the moment I do a fresh PeerTube v5.0.1 installation and I ran into these issues:

ProxyRequests not allowed in <Location> context

If I remove it everything looks fine so far, but when I try to access the site I get this error:
Bildschirm­foto 2023-01-06 um 13 04 20
I have already checked the production.yaml, which looks fine to me

webserver:
  https: true
  hostname: 'peertube.example.de'
  port: 443

The log shows:

{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Backend returned code 403, errorMessage is: Getting client tokens for host 127.0.0.1:9000 is forbidden","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.479Z"}
{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Fehler: Referenzen des OAuth-Clients können nicht abgerufen werden: Getting client tokens for host 127.0.0.1:9000 is forbidden. Stellen Sie sicher, dass PeerTube korrekt konfiguriert ist (Ordner config/), speziell der Abschnitt \"webserver\".","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.488Z"}{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Backend returned code 403, errorMessage is: Getting client tokens for host 127.0.0.1:9000 is forbidden","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.479Z"}
{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Fehler: Referenzen des OAuth-Clients können nicht abgerufen werden: Getting client tokens for host 127.0.0.1:9000 is forbidden. Stellen Sie sicher, dass PeerTube korrekt konfiguriert ist (Ordner config/), speziell der Abschnitt \"webserver\".","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.488Z"}

And the access rights for /config are fine too. At the moment I have no idea, where to look further.

@ROBERT-MCDOWELL
Copy link

my bad, glitch in my update, fixed now. thanks for your report

@Vertux
Copy link

Vertux commented Jan 6, 2023

@ROBERT-MCDOWELL My pleasure, thank you for your support.

Edit:
ipv6 can be a pain sometimes.

<Location "/">
                ProxyPass http://[::1]:9000/ flushpackets=on keepalive=on enablereuse=on
                ProxyPassReverse http://[::1]:9000/
</Location>

This did not work for me but if I change it to:

<Location "/">
                ProxyPass http://localhost:9000/ flushpackets=on keepalive=on enablereuse=on
                ProxyPassReverse http://localhost:9000/
</Location>

Everything works perfect. The wired thing is, that 127.0.0.1 does not work.

But I guess that's a special issue of my environment, because my server is managed with Plesk, which
automatically generates the basic Virtualhost and it is missing the ipv6 localhost entry [::1].

@ROBERT-MCDOWELL
Copy link

ROBERT-MCDOWELL commented Jan 6, 2023

FYI ProxyRequest off must be out Location, on the example above I even put it out of VirtualHost
and it was missing an "S" at ProxyPass, I added ProxyPassReverse too in '/' Location to avoid werid behaviors.
I aslo modified the websocket redirection to ipv6 like
RewriteRule ^(.*)$ ws://[::1]:9000$1 [L]

@Vertux
Copy link

Vertux commented Jan 6, 2023

I am using your updated version now, no issues so far. 👍

@ROBERT-MCDOWELL
Copy link

I'm glad it works for you!

@joho1968
Copy link

joho1968 commented Feb 13, 2023

Great config, thank you so much. I am running into this though when frontpage of PT is loaded:

Cannot retrieve OAuth Client credentials: Getting client tokens for host 127.0.0.1:9000 is forbidden. Ensure you have correctly configured PeerTube (config/ directory), in particular the "webserver" section.

I can't really see anything wrong with either config (Apache, PT, and so on ...)

If I open web developer tools, I do see a 403 being returned for this request: "https://mysite.com/api/v1/oauth-clients/local"

@ROBERT-MCDOWELL
Copy link

check your firewall

@joho1968
Copy link

Not sure if I was unclear, but I do get the actual PT frontpage. And the 403 error seen in the browser console cannot be from a firewall, as 403 is a web server status code meaning Access Denied, if I'm not entirely wrong.

@ROBERT-MCDOWELL
Copy link

check if your folders/files are everbody accessible and have the peertube user as owner.

@joho1968
Copy link

joho1968 commented Feb 13, 2023

Well, I changed the bottom part of the config to read:

  ProxyPreserveHost On
  ProxyRequests On

  # Websocket
  RewriteCond %{QUERY_STRING} ^/plugins/[^/]+(/[^/]+)?/ws/ [OR]
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule ^(.*)$ ws://127.0.0.1:9000$1 [L]

  <Location "/">
    ProxyPass http://127.0.0.1:9000/ flushpackets=on keepalive=on enablereuse=on
    ProxyPassReverse http://127.0.0.1:9000/
  </Location>

And now it works as intended. Thank you for your work and for your speedy response.

@ROBERT-MCDOWELL
Copy link

maybe the oauth plugin is not set to accept local ipv6...

@joho1968
Copy link

maybe the oauth plugin is not set to accept local ipv6...

Yeah, quite possibly. It is, however, working now.

The only problem left is with CORS. It seems I cannot "embed" PT videos in pages on a specific site (not the same domain).

@ROBERT-MCDOWELL
Copy link

CORS is not present since it's a very personal choice.

@joho1968
Copy link

CORS is not present since it's a very personal choice.

OK. If I comment out all of these, it works:

# Header always set Access-Control-Allow-Origin      "*" 
# Header always set Access-Control-Allow-Credentials "true"
# Header always set Access-Control-Allow-Headers     "Retry-After"
# Header always set Access-Control-Allow-Methods     "GET, OPTIONS"
# Header always set Access-Control-Allow-Headers     "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

@ROBERT-MCDOWELL
Copy link

indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....

@joho1968
Copy link

indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....

I know. That's why I was a bit surprised to see them in your gist 😊 Would it be possible to update your gist with a scenario where PeerTube and (authorized) website can embed video from PT? Like the website is on https://web.domain1.com and PT is on https://video.domain2.com (i.e. it's not a sub-domain).

There also seems to be some confusion, not sure if it's with Apache or the browser(s) I've tried with, but to completely clear the header(s), I seem to need to do this:

    Header always unset Access-Control-Allow-Origin
    Header always unset access-control-allow-origin 

I can't for the life of me figure out what is treating the header string value in a case sensitive manner.

@ROBERT-MCDOWELL
Copy link

i'ts not my gist here so I cannot change anything but my own config I posted here.
I re-read my config above and I noticed that I already set cross domain so theorically you don't have to do anything but copy/paste the config and everything will work. I use it for my server and I can see PT embeded stickers on twitter and else (when you click on it a new window is opening, so you don't watch the video in a embeded manner). Access-Control-Allow-Origin is the right string

@af7567
Copy link

af7567 commented Jan 6, 2024

I was having problems with the Getting client tokens for host 127.0.0.1:9000 is forbidden message too after copying the above linked configuration for v6. But after reading joho1968's comment I noticed that ProxyPreserveHost On and ProxyRequests On are missing from the gists linked by @ROBERT-MCDOWELL .
After adding them back in everything seems to be working :)
Thanks all for providing the apache config.

@ROBERT-MCDOWELL
Copy link

ROBERT-MCDOWELL commented Jan 6, 2024

@af7567 fixed it. thanks!

@ROBERT-MCDOWELL
Copy link

@joho1968 I just realize my answer was a little confused, so in my gist here
PeerTube v5: https://gist.github.com/ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c
PeerTube >= v6: https://gist.github.com/ROBERT-MCDOWELL/7a55548d51a82080270b3184cd27ed36
I didn't put any CORS settings since it's not related to PeerTube and very personal as some server admins have their own way to allow or not certain websites and how (from the deprecated x-frame-options or content-security-policy) which is to vast and out of the PeerTube scope, even if the PT nginx conf shows Header set Access-Control-Allow-Origin "*" which is not really secure. But what's the best for you guys? to strictly follow the nginx default conf or a more secure apache one?

@ROBERT-MCDOWELL
Copy link

@joho1968 ok after some reflections I think the best is to strictly follow the nginx default conf so it won't give more confusion and it's up to the skills of the server admin to fix his own security way....

@af7567
Copy link

af7567 commented Jan 6, 2024

@ROBERT-MCDOWELL Thanks for the update :)
I didn't realise you had left the Proxy options out on purpose. I thought that peertube only worked with a reverse proxy so I was a bit confused why some of the lines in the original gist for reverse proxy were commented out.

@ROBERT-MCDOWELL
Copy link

I'm on so many different repo and work that I think you are right, PT works as default with a reverse proxy... even if it certainly can work without proxy ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment