# requires WebSocket support with `a2enmod proxy_wstunnel` | |
# It's generally not a good idea to broadcast the version of Apache you run | |
ServerSignature Off | |
ServerTokens Prod | |
# Security configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | |
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
SSLHonorCipherOrder on | |
# Requires Apache >= 2.4 | |
SSLCompression off | |
# To use stapling, we have to enable it globally | |
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" | |
# OCSP Stapling requires Apache >= 2.3.3 | |
SSLUseStapling on | |
SSLStaplingResponderTimeout 5 | |
SSLStaplingReturnResponderErrors off | |
SSLSessionTickets off # Requires Apache >= 2.4.11 | |
<VirtualHost *:80 [::]:80> | |
ServerName peertube.example.com | |
ServerAdmin webmaster@example.com | |
Protocols h2c http/1.1 | |
RewriteEngine On | |
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
RewriteCond %{HTTPS} off | |
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
<Directory /var/www/certbot> | |
Options None | |
AllowOverride None | |
ForceType text/plain | |
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
Require method GET POST OPTIONS | |
</Directory> | |
ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
</VirtualHost> | |
<VirtualHost *:443 [::]:443> | |
ServerName peertube.example.com | |
ServerAdmin webmaster@example.com | |
Protocols h2 http/1.1 | |
SSLEngine on | |
# For example with certbot (you need a certificate to run https) | |
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
Header always set X-Content-Type-Options nosniff | |
Header always set X-Robots-Tag none | |
Header always set X-XSS-Protection "1; mode=block" | |
# Bypass PeerTube webseed route for better performances | |
Alias /static/webseed /var/www/peertube/storage/videos | |
<Location /static/webseed> | |
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
SetOutputFilter RATE_LIMIT | |
SetEnv rate-limit 800 | |
SetEnvIf Request_Method "GET" GETMETH=1 | |
Header set Access-Control-Allow-Origin "*" env=GETMETH | |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
SetEnvIf GETMETH "1" dontlog | |
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
Header set Content-Length "0" env=OPTIONSMETH | |
</Location> | |
<Location /videos/embed> | |
Header unset X-Frame-Options | |
</Location> | |
ProxyPreserveHost On | |
ProxyTimeout 600 | |
# Websocket tracker | |
RewriteEngine On | |
RewriteCond %{HTTP:Upgrade} websocket [NC] | |
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
<Location /> | |
ProxyPass http://127.0.0.1:9000/ timeout=600 | |
</Location> | |
ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
</VirtualHost> |
This comment has been minimized.
This comment has been minimized.
Thanks! |
This comment has been minimized.
This comment has been minimized.
La ligne |
This comment has been minimized.
This comment has been minimized.
Thanks for your file. |
This comment has been minimized.
This comment has been minimized.
it nearly works, i have my certificates made with certbot but apache wont start because he cant find a file, but the file exists. i copy and paste the path and i get a symlink.
here, the file exists and is filled with certificates:
|
This comment has been minimized.
This comment has been minimized.
The used value is not supported by apache 2.4 reference but you do not get any error.
|
This comment has been minimized.
This comment has been minimized.
Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this:
I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work. |
This comment has been minimized.
This comment has been minimized.
Unless I am missing something, this configuration is very dangerous due to the inclusion of the Also, while I'm at it, (Again, please tell me if I'm missing something - I'd love to be corrected |
This comment has been minimized.
This comment has been minimized.
maybe somebody still searches this:
|
This comment has been minimized.
This comment has been minimized.
@strugee thanks for the notification! I corrected it. |
This comment has been minimized.
This comment has been minimized.
@rigelk thank you! |
This comment has been minimized.
This comment has been minimized.
please note that isn't enough to make the configuration on par with the file serving optimizations of the project's Nginx configuration. I'm open to contributions for that |
This comment has been minimized.
This comment has been minimized.
Hi, |
This comment has been minimized.
Thanks for this! I couldn't get the Websocket to work until I grabbed this code.