Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An opinionated httpd/Apache vhost to run PeerTube, following Mozilla's modern security practices as of https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | don't forget to enable WebSockets with `a2enmod proxy_wstunnel`
# It's generally not a good idea to broadcast the version of Apache you run
ServerSignature Off
ServerTokens Prod
# Security configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
# Requires Apache >= 2.4
SSLCompression off
# To use stapling, we have to enable it globally
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# OCSP Stapling requires Apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLSessionTickets off # Requires Apache >= 2.4.11
<VirtualHost *:80 [::]:80>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2c http/1.1
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Alias /.well-known/acme-challenge/ /var/www/certbot/
<Directory /var/www/certbot>
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
Require method GET POST OPTIONS
</Directory>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
<VirtualHost *:443 [::]:443>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2 http/1.1
SSLEngine on
# For example with certbot (you need a certificate to run https)
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
# HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly)
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
# Hard limit, PeerTube does not support videos > 4GB
LimitRequestBody 4294967294
# Set caching on assets for 1 year
<FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1
# Set caching on image files for 1 year
<FilesMatch ^/static/(thumbnails|avatars)/(.*)$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2
# Bypass PeerTube webseed route for better performances
Alias /static/webseed /var/www/peertube/storage/videos
<Location /static/webseed>
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 800
SetEnvIf Request_Method "GET" GETMETH=1
Header set Access-Control-Allow-Origin "*" env=GETMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
Header set toto "foo" env=GETMETH
SetEnvIf GETMETH "1" dontlog
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
Header set Content-Length "0" env=OPTIONSMETH
</Location>
<Location /videos/embed>
Header unset X-Frame-Options
</Location>
ProxyPreserveHost On
ProxyRequests On
ProxyTimeout 600
# Websocket tracker
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
@koehn

This comment has been minimized.

Copy link

koehn commented Mar 21, 2018

Thanks for this! I couldn't get the Websocket to work until I grabbed this code.

@WayOutt

This comment has been minimized.

Copy link

WayOutt commented May 6, 2018

Thanks!

@Pofilo

This comment has been minimized.

Copy link

Pofilo commented Jul 5, 2018

La ligne Header always set X-Frame-Options DENY empêche le fonctionnement des iframe.
Si vous voulez autoriser les iframe, il faut donc supprimer cette ligne.

@MonsieurPoutounours

This comment has been minimized.

Copy link

MonsieurPoutounours commented Nov 4, 2018

Thanks for your file.
With this configuration, i got several error log lines like this : AH00082: an unknown filter was not added: RATE_LIMIT
Can this be avoided by adding directives ?

@tykayn

This comment has been minimized.

Copy link

tykayn commented Dec 3, 2018

it nearly works, i have my certificates made with certbot but apache wont start because he cant find a file, but the file exists. i copy and paste the path and i get a symlink.

sudo apache2ctl configtest
AH00526: Syntax error on line 51 of /etc/apache2/sites-enabled/peertube.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem' does not exist or is empty
Action 'configtest' failed.

here, the file exists and is filled with certificates:

sudo ls -larth /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem
lrwxrwxrwx 1 root root 53 Dec  2 20:45 /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem -> ../../archive/peertube.cipherbliss.com/fullchain2.pem
@Vertux

This comment has been minimized.

Copy link

Vertux commented Nov 22, 2019

 # Hard limit, PeerTube does not support videos > 4GB
  LimitRequestBody 4294967294

The used value is not supported by apache 2.4 reference but you do not get any error.

Die Direktive gibt die Anzahl der Bytes zwischen 0 (unbegrenzt) und 2147483647 (2GB) an, die im Request-Body (Datenteil der Anfrage) erlaubt sind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.