| # requires WebSocket support with `a2enmod proxy_wstunnel` | |
| # check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security | |
| <VirtualHost *:80 [::]:80> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2c http/1.1 | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
| <Directory /var/www/certbot> | |
| Options None | |
| AllowOverride None | |
| ForceType text/plain | |
| RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
| Require method GET POST OPTIONS | |
| </Directory> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> | |
| <VirtualHost *:443 [::]:443> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2 http/1.1 | |
| SSLEngine on | |
| # For example with certbot (you need a certificate to run https) | |
| SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Bypass PeerTube webseed route for better performances | |
| Alias /static/webseed /var/www/peertube/storage/videos | |
| <Location /static/webseed> | |
| # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
| SetOutputFilter RATE_LIMIT | |
| SetEnv rate-limit 800 | |
| SetEnvIf Request_Method "GET" GETMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=GETMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
| SetEnvIf GETMETH "1" dontlog | |
| SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
| Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
| Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
| Header set Content-Length "0" env=OPTIONSMETH | |
| </Location> | |
| <Location /videos/embed> | |
| Header unset X-Frame-Options | |
| </Location> | |
| ProxyPreserveHost On | |
| ProxyTimeout 600 | |
| # Websocket tracker | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
| <Location /> | |
| ProxyPass http://127.0.0.1:9000/ timeout=600 | |
| </Location> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> |
Well, there is no officially supported config for Apache 2, but I've got it working using this very basic config in my vhost, so it seems this is no longer an issue:
ProxyPreserveHost On ProxyRequests On #ProxyTimeout 600 # Websocket tracker RewriteEngine On RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] <Location /> ProxyPass http://127.0.0.1:9000/ </Location>I'm not using the docker installation of course.
@yodahome
This sounds promising, have you checked if all peertube functions are executed without errors? I'm a little afraid that not all peertube features are properly supported, but this may not be immediately noticeable.
I don't use Docker either and would like to start a test with your config next weekend, it looks almost too simple to be true 😁
Thank you for sharing your config.
Well, what I have tested is: Video upload via web interface, federating with a bunch of other instances, subscribing to remote channels, viewing remote video (on my instance that is), liking, commenting, installing themes & plugins, registration, most stuff on the administration end I'd say. I have not yet tested whether I'm federating my videos properly although I have no indication (errors or logs) to believe otherwise.
I'm not saying this is a polished configuration, but it's a place to start from and then possibly try adding some of the options mentioned in the initial post as long as they don't break anything. I haven't had the time to do that but I assume it's possible. It's most certainly not optimized, but again, it's working for myself so far and I might test with a few users too. I don't plan on hosting a huge crowd or thousands of videos. 😉
With that configuration, views will not be counted properly, nor will the API be protected against body size DoS attacks. Static files will be going through PeerTube before being handled by Apache, which means performance-wise, no gain is made from letting the PeerTube process do all the work. No
Access-Control-Allow-Originis set on some static assets, which means browsers on other domains running anything else than PeerTube (like, Pleroma displaying a PT account's avatar) will have errors.
Hmm, so far the views on my local videos seem accurate, under which circumstances wouldn't they be? Do you mean federated views or views on remote videos?
And as mentioned above, in a next step I would try to add other options back in. I understand this is all primarily experimental at this point, but it's better than PT not working in Apache 2 at all.
having read the peetube nginx conf there is nothing really special that apache cannot do. The trick is to find the best apache settings that reacts like nginx at least, and maybe better.
Hmm, so far the views on my local videos seem accurate, under which circumstances wouldn't they be? Do you mean federated views or views on remote videos?
Maybe you haven't run into the problem so far, but without passing the proper IP through, the peertube process will only see the loopback adress as emitting the view. If you are alone watching videos, or not watching the same videos in a short timespan, then you are fine. Federated views are not impacted.
@rigelk
to get tie client ip intact
RemoteIPHeader X-Client-IP
RemoteIPHeader X-Forwarded-For
Thanks for providing the config! Works!
I would like to create a repo especially for peertube apache config respecting the default nginx peertube config.
who are intrested I start it please thumb up.
I would like to create a repo especially for peertube apache config respecting the default nginx peertube config. who are intrested I start it please thumb up.
I, for myself, installed both apache & nginx on the machine, and this works very well, with the help of a port (443) multiplexer
https://github.com/yrutschle/sslh
Martin.
@M-Stenzel
interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default
Here is the full PeerTube apache (min version 2.4.47) config which is the equivalent of
the nginx peertube default
# PeerTube Apache configuration version 23.8.15
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout 87400
SSLStaplingCache shmcb:logs/stapling-cache(150000)
# Please check your Apache installation features the following modules via 'apachectl -M':
# STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module
# THIRD PARTY MODULES: None.
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout 87400
SSLStaplingCache shmcb:logs/stapling-cache(150000)
ProxyRequests off
<VirtualHost *:80 [::]:80>
Protocols h2c http/1.1
ServerName peertube.example.com
ServerAdmin webmaster@example.com
ErrorLog "/var/log/httpd/[peertube.example.com].error.log"
CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog
RewriteEngine on
RewriteOptions inherit
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Alias /.well-known/acme-challenge/ /var/www/certbot/
<Directory "/var/www/certbot">
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
Require method GET POST OPTIONS
</Directory>
</VirtualHost>
<VirtualHost *:443 [::]:443>
Protocols h2 h2c http/1.1 TLSv1.2 TLSv1.3 http/1.0
ProtocolsHonorOrder Off
ServerName example.com
ServerAlias peertube.example.com
SetEnv increaseTimeout false
RewriteEngine on
RewriteOptions inherit
CustomLog "/usr/local/apache/logs/peertube.access.log" common "env=!dontlog"
ErrorLog "/usr/local/apache/logs/example.com.error.log"
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
SSLUseStapling on
Header set Strict-Transport-Security "max-age=8740000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-Robots-Tag none
Header set X-XSS-Protection "1; mode=block"
RequestHeader set Host expr=%{HTTP_HOST}
RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}
##
# Application
##
LimitRequestBody 102400
ProxyReceiveBufferSize 0
KeepAliveTimeout 10
ProxyTimeout 900
ProxyIOBufferSize 1024
ProxyIOBufferSize 1024
ProxyReceiveBufferSize 8192
<Location "/api/v1/videos/upload-resumable">
LimitRequestBody 0
</Location>
<LocationMatch "^/api/v1/videos/(upload|([^/]+/studio/edit))$">
Require all granted
<LimitExcept POST HEAD>
Require all denied
</LimitExcept>
# This is the maximum upload size, which roughly matches the maximum size of a video file.
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# You may want to put this directory on a dedicated filesystem.
LimitRequestBody 12884901888
# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
Header set X-File-Maximum-Size 8G
</LocationMatch>
<LocationMatch "^/api/v1/runners/jobs/[^/]+/(update|success)$">
LimitRequestBody 12884901888;
Header set X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
</LocationMatch>
<LocationMatch "^/api/v1/(videos/*/views|video-playlists|video-channels|users/me|metrics)*$">
LimitRequestBody 6291456
# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
Header set X-File-Maximum-Size 4M
</LocationMatch>
##
# Performance optimizations
# Compression enabled automatically by filter_module
DocumentRoot /var/www/peertube
RequestReadTimeout body=30 header=10
Options +FollowSymLinks -SymLinksIfOwnerMatch
Alias /client %{DOCUMENT_ROOT}/peertube-latest/client/dist
# http/2 tuning
H2Push on
H2PushPriority * after
H2PushPriority txt/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
# Bypass PeerTube for performance reasons. Optional.
# Should be consistent with client-overrides assets list in /server/controllers/client.ts
<LocationMatch "^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$">
# Cache 1 year
Header set Cache-Control "public, max-age=31536000, immutable"
RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L]
</LocationMatch>
# Bypass PeerTube for performance reasons. Optional.
<LocationMatch "^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$">
Header set Cache-Control "public, max-age=31536000, immutable"
</LocationMatch>
# Bypass PeerTube for performance reasons. Optional.
<LocationMatch "^/static/(thumbnails|avatars)/">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Retry-After"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
<If "%{REQUEST_METHOD} == 'OPTIONS'">
# Preflight request can be cached 20 days
Header set Access-Control-Max-Age 1728000
Header set Content-Type "text/plain charset=UTF-8"
Header set Content-Length 0
RedirectMatch 204 ^(.*)$
</If>
# Cache response 2 hours
Header set Cache-Control "public, max-age=7200"
RewriteRule ^/static/(.*)$ /$1 [L]
</LocationMatch>
# Bypass PeerTube for performance reasons. Optional.
<LocationMatch "^/static/(webseed|redundancy|streaming-playlists)/">
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
SetOutputFilter RATE_LIMIT
# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
<If "%{REQUEST_URI} =~ /^(.*)-fragmented.mp4$/">
SetEnv rate-limit 5120
SetEnv rate-limit-burst 6144
</If>
<Else>
SetEnv rate-limit 832
SetEnv rate-limit-burst 1024
</Else>
<If "%{REQUEST_METHOD} == 'OPTIONS'">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Retry-After"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
# Preflight request can be cached 20 days
Header set Access-Control-Max-Age 1728000
Header set Content-Type "text/plain charset=UTF-8"
Header set Content-Length 0
RedirectMatch 204 ^(.*)$
</If>
<If "%{REQUEST_METHOD} == 'GET'">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Retry-After"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
# Don't spam access log file with byte range requests
SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog
</If>
# Enabling the sendfile directive eliminates the step of copying the data into the buffer
# and enables direct copying data from one file descriptor to another.
# To disable if the folder is on a network filesystem like NFS or other.
EnableSendfile on
<If "%{REQUEST_URI} =~ /^\x2Fstatic\x2Fwebseed\x2F(.*)$/">
Header set Cache-control "no-cache, no-store"
</If>
RewriteRule ^/static/webseed/(.*)$ /videos/$1 [L]
RewriteRule ^/static/(.*)$ /$1 [L]
</LocationMatch>
<LocationMatch "^(/static/(webseed|web-videos|streaming-playlists)/private/)|^/download">
SetEnv rate-limit 5120
SetEnv rate-limit-burst 6144
</LocationMatch>
# Set Upgrade and Connection headers for WebSocket requests
<LocationMatch "^/(plugins/[^/]+(/[^/]+)?/ws/|socket.io/)">
Header set Upgrade "websocket"
Header set Connection "Upgrade"
</LocationMatch>
# Normal HTTP requests
ProxyPass "/" "http://backend/" flushpackets=on keepalive=on enablereuse=on upgrade=websocket
</VirtualHost>
this config is compatible with the last version of PeerTube
Pay attention that I'm oftenly updating this config so please check time to time
or subscribe and follow its activity to my gist here https://gist.github.com/ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c
interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default
I agree, I prefer to keep things as simple as possible as well.
Attached the full apache config which is the closest of the nginx peertube default
Thank you
<Location "/">
ProxyPas http://127.0.0.1:9000/ flushpackets=on keepalive=on enablereuse=on
ProxyRequests off
</Location>
</VirtualHost>
At the moment I do a fresh PeerTube v5.0.1 installation and I ran into these issues:
ProxyRequests not allowed in <Location> context
If I remove it everything looks fine so far, but when I try to access the site I get this error:
I have already checked the production.yaml, which looks fine to me
webserver:
https: true
hostname: 'peertube.example.de'
port: 443
The log shows:
{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Backend returned code 403, errorMessage is: Getting client tokens for host 127.0.0.1:9000 is forbidden","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.479Z"}
{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Fehler: Referenzen des OAuth-Clients können nicht abgerufen werden: Getting client tokens for host 127.0.0.1:9000 is forbidden. Stellen Sie sicher, dass PeerTube korrekt konfiguriert ist (Ordner config/), speziell der Abschnitt \"webserver\".","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.488Z"}{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Backend returned code 403, errorMessage is: Getting client tokens for host 127.0.0.1:9000 is forbidden","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.479Z"}
{"tags":["client"],"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0","url":"https://peertube.example.de/videos/trending","level":"error","message":"Client log: Fehler: Referenzen des OAuth-Clients können nicht abgerufen werden: Getting client tokens for host 127.0.0.1:9000 is forbidden. Stellen Sie sicher, dass PeerTube korrekt konfiguriert ist (Ordner config/), speziell der Abschnitt \"webserver\".","label":"peertube.example.de:443","timestamp":"2023-01-06T12:21:35.488Z"}
And the access rights for /config are fine too. At the moment I have no idea, where to look further.
my bad, glitch in my update, fixed now. thanks for your report
@ROBERT-MCDOWELL My pleasure, thank you for your support.
Edit:
ipv6 can be a pain sometimes.
<Location "/">
ProxyPass http://[::1]:9000/ flushpackets=on keepalive=on enablereuse=on
ProxyPassReverse http://[::1]:9000/
</Location>
This did not work for me but if I change it to:
<Location "/">
ProxyPass http://localhost:9000/ flushpackets=on keepalive=on enablereuse=on
ProxyPassReverse http://localhost:9000/
</Location>
Everything works perfect. The wired thing is, that 127.0.0.1 does not work.
But I guess that's a special issue of my environment, because my server is managed with Plesk, which
automatically generates the basic Virtualhost and it is missing the ipv6 localhost entry [::1].
FYI ProxyRequest off must be out Location, on the example above I even put it out of VirtualHost
and it was missing an "S" at ProxyPass, I added ProxyPassReverse too in '/' Location to avoid werid behaviors.
I aslo modified the websocket redirection to ipv6 like
RewriteRule ^(.*)$ ws://[::1]:9000$1 [L]
I am using your updated version now, no issues so far. 👍
I'm glad it works for you!
Great config, thank you so much. I am running into this though when frontpage of PT is loaded:
Cannot retrieve OAuth Client credentials: Getting client tokens for host 127.0.0.1:9000 is forbidden. Ensure you have correctly configured PeerTube (config/ directory), in particular the "webserver" section.
I can't really see anything wrong with either config (Apache, PT, and so on ...)
If I open web developer tools, I do see a 403 being returned for this request: "https://mysite.com/api/v1/oauth-clients/local"
check your firewall
Not sure if I was unclear, but I do get the actual PT frontpage. And the 403 error seen in the browser console cannot be from a firewall, as 403 is a web server status code meaning Access Denied, if I'm not entirely wrong.
check if your folders/files are everbody accessible and have the peertube user as owner.
Well, I changed the bottom part of the config to read:
ProxyPreserveHost On
ProxyRequests On
# Websocket
RewriteCond %{QUERY_STRING} ^/plugins/[^/]+(/[^/]+)?/ws/ [OR]
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^(.*)$ ws://127.0.0.1:9000$1 [L]
<Location "/">
ProxyPass http://127.0.0.1:9000/ flushpackets=on keepalive=on enablereuse=on
ProxyPassReverse http://127.0.0.1:9000/
</Location>
And now it works as intended. Thank you for your work and for your speedy response.
maybe the oauth plugin is not set to accept local ipv6...
maybe the oauth plugin is not set to accept local ipv6...
Yeah, quite possibly. It is, however, working now.
The only problem left is with CORS. It seems I cannot "embed" PT videos in pages on a specific site (not the same domain).
CORS is not present since it's a very personal choice.
CORS is not present since it's a very personal choice.
OK. If I comment out all of these, it works:
# Header always set Access-Control-Allow-Origin "*"
# Header always set Access-Control-Allow-Credentials "true"
# Header always set Access-Control-Allow-Headers "Retry-After"
# Header always set Access-Control-Allow-Methods "GET, OPTIONS"
# Header always set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....
indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....
I know. That's why I was a bit surprised to see them in your gist 😊 Would it be possible to update your gist with a scenario where PeerTube and (authorized) website can embed video from PT? Like the website is on https://web.domain1.com and PT is on https://video.domain2.com (i.e. it's not a sub-domain).
There also seems to be some confusion, not sure if it's with Apache or the browser(s) I've tried with, but to completely clear the header(s), I seem to need to do this:
Header always unset Access-Control-Allow-Origin
Header always unset access-control-allow-origin
I can't for the life of me figure out what is treating the header string value in a case sensitive manner.
i'ts not my gist here so I cannot change anything but my own config I posted here.
I re-read my config above and I noticed that I already set cross domain so theorically you don't have to do anything but copy/paste the config and everything will work. I use it for my server and I can see PT embeded stickers on twitter and else (when you click on it a new window is opening, so you don't watch the video in a embeded manner). Access-Control-Allow-Origin is the right string
With that configuration, views will not be counted properly, nor will the API be protected against body size DoS attacks. Static files will be going through PeerTube before being handled by Apache, which means performance-wise, no gain is made from letting the PeerTube process do all the work. No
Access-Control-Allow-Originis set on some static assets, which means browsers on other domains running anything else than PeerTube (like, Pleroma displaying a PT account's avatar) will have errors.