/peertube.conf
Last active Aug 3, 2019
An opinionated httpd/Apache vhost to run PeerTube, following Mozilla's modern security practices as of https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | don't forget to enable WebSockets with `a2enmod proxy_wstunnel`
| # It's generally not a good idea to broadcast the version of Apache you run | |
| ServerSignature Off | |
| ServerTokens Prod | |
| # Security configuration | |
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
| SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| SSLHonorCipherOrder on | |
| # Requires Apache >= 2.4 | |
| SSLCompression off | |
| # To use stapling, we have to enable it globally | |
| SSLStaplingCache "shmcb:logs/stapling-cache(150000)" | |
| # OCSP Stapling requires Apache >= 2.3.3 | |
| SSLUseStapling on | |
| SSLStaplingResponderTimeout 5 | |
| SSLStaplingReturnResponderErrors off | |
| SSLSessionTickets off # Requires Apache >= 2.4.11 | |
| <VirtualHost *:80 [::]:80> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2c http/1.1 | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
| <Directory /var/www/certbot> | |
| Options None | |
| AllowOverride None | |
| ForceType text/plain | |
| RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
| Require method GET POST OPTIONS | |
| </Directory> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> | |
| <VirtualHost *:443 [::]:443> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2 http/1.1 | |
| SSLEngine on | |
| # For example with certbot (you need a certificate to run https) | |
| SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
| # HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly) | |
| #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Hard limit, PeerTube does not support videos > 4GB | |
| LimitRequestBody 4294967294 | |
| # Set caching on assets for 1 year | |
| <FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$> | |
| Header append Cache-Control "public, max-age=31536000, immutable" | |
| </FilesMatch> | |
| AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1 | |
| # Set caching on image files for 1 year | |
| <FilesMatch ^/static/(thumbnails|avatars)/(.*)$> | |
| Header append Cache-Control "public, max-age=31536000, immutable" | |
| </FilesMatch> | |
| AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2 | |
| # Bypass PeerTube webseed route for better performances | |
| Alias /static/webseed /var/www/peertube/storage/videos | |
| <Location /static/webseed> | |
| # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
| SetOutputFilter RATE_LIMIT | |
| SetEnv rate-limit 800 | |
| SetEnvIf Request_Method "GET" GETMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=GETMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
| Header set toto "foo" env=GETMETH | |
| SetEnvIf GETMETH "1" dontlog | |
| SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
| Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
| Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
| Header set Content-Length "0" env=OPTIONSMETH | |
| </Location> | |
| <Location /videos/embed> | |
| Header unset X-Frame-Options | |
| </Location> | |
| ProxyPreserveHost On | |
| ProxyRequests On | |
| ProxyTimeout 600 | |
| # Websocket tracker | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
| <Location /> | |
| ProxyPass http://127.0.0.1:9000/ | |
| </Location> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> |
This comment has been minimized.
This comment has been minimized.
WayOutt
commented
May 6, 2018
|
Thanks! |
This comment has been minimized.
This comment has been minimized.
Pofilo
commented
Jul 5, 2018
|
La ligne |
This comment has been minimized.
This comment has been minimized.
MonsieurPoutounours
commented
Nov 4, 2018
|
Thanks for your file. |
This comment has been minimized.
This comment has been minimized.
tykayn
commented
Dec 3, 2018
|
it nearly works, i have my certificates made with certbot but apache wont start because he cant find a file, but the file exists. i copy and paste the path and i get a symlink. here, the file exists and is filled with certificates: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
koehn commentedMar 21, 2018
Thanks for this! I couldn't get the Websocket to work until I grabbed this code.