Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An opinionated httpd/Apache vhost to run PeerTube, following Mozilla's modern security practices as of https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | don't forget to enable WebSockets with `a2enmod proxy_wstunnel`
# It's generally not a good idea to broadcast the version of Apache you run
ServerSignature Off
ServerTokens Prod
# Security configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
# Requires Apache >= 2.4
SSLCompression off
# To use stapling, we have to enable it globally
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# OCSP Stapling requires Apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLSessionTickets off # Requires Apache >= 2.4.11
<VirtualHost *:80 [::]:80>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2c http/1.1
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Alias /.well-known/acme-challenge/ /var/www/certbot/
<Directory /var/www/certbot>
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
Require method GET POST OPTIONS
</Directory>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
<VirtualHost *:443 [::]:443>
ServerName peertube.example.com
ServerAdmin webmaster@example.com
Protocols h2 http/1.1
SSLEngine on
# For example with certbot (you need a certificate to run https)
SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
# HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly)
#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
# Hard limit, PeerTube does not support videos > 4GB
LimitRequestBody 4294967294
# Set caching on assets for 1 year
<FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1
# Set caching on image files for 1 year
<FilesMatch ^/static/(thumbnails|avatars)/(.*)$>
Header append Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>
AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2
# Bypass PeerTube webseed route for better performances
Alias /static/webseed /var/www/peertube/storage/videos
<Location /static/webseed>
# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 800
SetEnvIf Request_Method "GET" GETMETH=1
Header set Access-Control-Allow-Origin "*" env=GETMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
Header set toto "foo" env=GETMETH
SetEnvIf GETMETH "1" dontlog
SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1
Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
Header set Content-Length "0" env=OPTIONSMETH
</Location>
<Location /videos/embed>
Header unset X-Frame-Options
</Location>
ProxyPreserveHost On
ProxyRequests On
ProxyTimeout 600
# Websocket tracker
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>
ErrorLog "/var/log/httpd/peertube.example.com.error.log"
CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>
@koehn

This comment has been minimized.

Copy link

commented Mar 21, 2018

Thanks for this! I couldn't get the Websocket to work until I grabbed this code.

@WayOutt

This comment has been minimized.

Copy link

commented May 6, 2018

Thanks!

@Pofilo

This comment has been minimized.

Copy link

commented Jul 5, 2018

La ligne Header always set X-Frame-Options DENY empêche le fonctionnement des iframe.
Si vous voulez autoriser les iframe, il faut donc supprimer cette ligne.

@MonsieurPoutounours

This comment has been minimized.

Copy link

commented Nov 4, 2018

Thanks for your file.
With this configuration, i got several error log lines like this : AH00082: an unknown filter was not added: RATE_LIMIT
Can this be avoided by adding directives ?

@tykayn

This comment has been minimized.

Copy link

commented Dec 3, 2018

it nearly works, i have my certificates made with certbot but apache wont start because he cant find a file, but the file exists. i copy and paste the path and i get a symlink.

sudo apache2ctl configtest
AH00526: Syntax error on line 51 of /etc/apache2/sites-enabled/peertube.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem' does not exist or is empty
Action 'configtest' failed.

here, the file exists and is filled with certificates:

sudo ls -larth /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem
lrwxrwxrwx 1 root root 53 Dec  2 20:45 /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem -> ../../archive/peertube.cipherbliss.com/fullchain2.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.