An opinionated httpd/Apache vhost to run PeerTube, following Mozilla's modern security practices as of https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | don't forget to enable WebSockets with `a2enmod proxy_wstunnel`

## peertube.conf
# It's generally not a good idea to broadcast the version of Apache you run
ServerSignature Off
ServerTokens Prod

# Security configuration
SSLCipherSuite                    EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol                       All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder               on
# Requires Apache >= 2.4
SSLCompression                    off
# To use stapling, we have to enable it globally
SSLStaplingCache                  "shmcb:logs/stapling-cache(150000)"
# OCSP Stapling requires Apache >= 2.3.3
SSLUseStapling                    on
SSLStaplingResponderTimeout       5
SSLStaplingReturnResponderErrors  off
SSLSessionTickets                 off # Requires Apache >= 2.4.11


<VirtualHost *:80 [::]:80>
        ServerName peertube.example.com
        ServerAdmin webmaster@example.com
        Protocols h2c http/1.1

        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        Alias /.well-known/acme-challenge/ /var/www/certbot/
        <Directory /var/www/certbot>
                Options None
                AllowOverride None
                ForceType text/plain
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
                Require method GET POST OPTIONS
        </Directory>

        ErrorLog "/var/log/httpd/peertube.example.com.error.log"
        CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>

<VirtualHost *:443 [::]:443>
        ServerName peertube.example.com
        ServerAdmin webmaster@example.com
        Protocols h2 http/1.1

        SSLEngine on
        # For example with certbot (you need a certificate to run https)
        SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem

        # HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly)
        #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

        Header always set X-Content-Type-Options nosniff
        Header always set X-Robots-Tag none
        Header always set X-XSS-Protection "1; mode=block"

        # Hard limit, PeerTube does not support videos > 4GB
        LimitRequestBody 4294967294

        # Set caching on assets for 1 year
        <FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$>
                Header append Cache-Control "public, max-age=31536000, immutable"
        </FilesMatch>
        AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1

        # Set caching on image files for 1 year
        <FilesMatch ^/static/(thumbnails|avatars)/(.*)$>
                Header append Cache-Control "public, max-age=31536000, immutable"
        </FilesMatch>
        AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2

        # Bypass PeerTube webseed route for better performances
        Alias /static/webseed /var/www/peertube/storage/videos
        <Location /static/webseed>
                # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
                SetOutputFilter RATE_LIMIT
                SetEnv rate-limit 800

                SetEnvIf Request_Method "GET" GETMETH=1

                Header set Access-Control-Allow-Origin "*" env=GETMETH
                Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
                Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
                Header set toto "foo" env=GETMETH
                SetEnvIf GETMETH "1" dontlog

                SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1

                Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
                Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
                Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
                Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
                Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
                Header set Content-Length "0" env=OPTIONSMETH
        </Location>

        <Location /videos/embed>
                Header unset X-Frame-Options
        </Location>

        ProxyPreserveHost On
        ProxyRequests On
        ProxyTimeout 600

        # Websocket tracker
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]

        <Location />
                ProxyPass http://127.0.0.1:9000/
        </Location>

        ErrorLog "/var/log/httpd/peertube.example.com.error.log"
        CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
	# It's generally not a good idea to broadcast the version of Apache you run
	ServerSignature Off
	ServerTokens Prod

	# Security configuration
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	SSLHonorCipherOrder on
	# Requires Apache >= 2.4
	SSLCompression off
	# To use stapling, we have to enable it globally
	SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
	# OCSP Stapling requires Apache >= 2.3.3
	SSLUseStapling on
	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors off
	SSLSessionTickets off # Requires Apache >= 2.4.11


	<VirtualHost *:80 [::]:80>
	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	Protocols h2c http/1.1

	RewriteEngine On
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	Alias /.well-known/acme-challenge/ /var/www/certbot/
	<Directory /var/www/certbot>
	Options None
	AllowOverride None
	ForceType text/plain
	RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
	Require method GET POST OPTIONS
	</Directory>

	ErrorLog "/var/log/httpd/peertube.example.com.error.log"
	CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
	</VirtualHost>

	<VirtualHost *:443 [::]:443>
	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	Protocols h2 http/1.1

	SSLEngine on
	# For example with certbot (you need a certificate to run https)
	SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem

	# HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly)
	#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

	Header always set X-Content-Type-Options nosniff
	Header always set X-Robots-Tag none
	Header always set X-XSS-Protection "1; mode=block"

	# Hard limit, PeerTube does not support videos > 4GB
	LimitRequestBody 4294967294

	# Set caching on assets for 1 year
	<FilesMatch ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$>
	Header append Cache-Control "public, max-age=31536000, immutable"
	</FilesMatch>
	AliasMatch ^/client/(.*\.(js\|css\|woff2\|otf\|ttf\|woff\|eot))$ /var/www/peertube/peertube-latest/client/dist/$1

	# Set caching on image files for 1 year
	<FilesMatch ^/static/(thumbnails\|avatars)/(.*)$>
	Header append Cache-Control "public, max-age=31536000, immutable"
	</FilesMatch>
	AliasMatch ^/static/(thumbnails\|avatars)/(.*)$ /var/www/peertube/storage/$1/$2

	# Bypass PeerTube webseed route for better performances
	Alias /static/webseed /var/www/peertube/storage/videos
	<Location /static/webseed>
	# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
	SetOutputFilter RATE_LIMIT
	SetEnv rate-limit 800

	SetEnvIf Request_Method "GET" GETMETH=1

	Header set Access-Control-Allow-Origin "*" env=GETMETH
	Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
	Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
	Header set toto "foo" env=GETMETH
	SetEnvIf GETMETH "1" dontlog

	SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1

	Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
	Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
	Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
	Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
	Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
	Header set Content-Length "0" env=OPTIONSMETH
	</Location>

	<Location /videos/embed>
	Header unset X-Frame-Options
	</Location>

	ProxyPreserveHost On
	ProxyRequests On
	ProxyTimeout 600

	# Websocket tracker
	RewriteEngine On
	RewriteCond %{HTTP:Upgrade} websocket [NC]
	RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]

	<Location />
	ProxyPass http://127.0.0.1:9000/
	</Location>

	ErrorLog "/var/log/httpd/peertube.example.com.error.log"
	CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
	</VirtualHost>