a now OUTDATED httpd/Apache vhost to run PeerTube | note that only Nginx is supported by the PeerTube team, and with this or any other Apache configuration, you will likely get NO SUPPORT.

peertube.conf

# requires WebSocket support with `a2enmod proxy_wstunnel`
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security

<VirtualHost *:80 [::]:80>
        ServerName peertube.example.com
        ServerAdmin webmaster@example.com
        Protocols h2c http/1.1

        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        Alias /.well-known/acme-challenge/ /var/www/certbot/
        <Directory /var/www/certbot>
                Options None
                AllowOverride None
                ForceType text/plain
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
                Require method GET POST OPTIONS
        </Directory>

        ErrorLog "/var/log/httpd/peertube.example.com.error.log"
        CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>

<VirtualHost *:443 [::]:443>
        ServerName peertube.example.com
        ServerAdmin webmaster@example.com
        Protocols h2 http/1.1

        SSLEngine on
        # For example with certbot (you need a certificate to run https)
        SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem

        Header always set X-Content-Type-Options nosniff
        Header always set X-Robots-Tag none
        Header always set X-XSS-Protection "1; mode=block"

        # Bypass PeerTube webseed route for better performances
        Alias /static/webseed /var/www/peertube/storage/videos
        <Location /static/webseed>
                # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
                SetOutputFilter RATE_LIMIT
                SetEnv rate-limit 800

                SetEnvIf Request_Method "GET" GETMETH=1

                Header set Access-Control-Allow-Origin "*" env=GETMETH
                Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH
                Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH
                SetEnvIf GETMETH "1" dontlog

                SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1

                Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH
                Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH
                Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH
                Header set Access-Control-Max-Age "1000" env=OPTIONSMETH
                Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH
                Header set Content-Length "0" env=OPTIONSMETH
        </Location>

        <Location /videos/embed>
                Header unset X-Frame-Options
        </Location>

        ProxyPreserveHost On
        ProxyTimeout 600

        # Websocket tracker
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]

        <Location />
                ProxyPass http://127.0.0.1:9000/ timeout=600
        </Location>

        ErrorLog "/var/log/httpd/peertube.example.com.error.log"
        CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog
</VirtualHost>

it nearly works, i have my certificates made with certbot but apache wont start because he cant find a file, but the file exists. i copy and paste the path and i get a symlink.

sudo apache2ctl configtest
AH00526: Syntax error on line 51 of /etc/apache2/sites-enabled/peertube.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem' does not exist or is empty
Action 'configtest' failed.

here, the file exists and is filled with certificates:

sudo ls -larth /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem
lrwxrwxrwx 1 root root 53 Dec  2 20:45 /etc/letsencrypt/live/peertube.cipherbliss.com/fullchain.pem -> ../../archive/peertube.cipherbliss.com/fullchain2.pem

 # Hard limit, PeerTube does not support videos > 4GB
  LimitRequestBody 4294967294

The used value is not supported by apache 2.4 reference but you do not get any error.

Die Direktive gibt die Anzahl der Bytes zwischen 0 (unbegrenzt) und 2147483647 (2GB) an, die im Request-Body (Datenteil der Anfrage) erlaubt sind.

Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this:

[Sat Apr 25 21:50:31.382970 2020] [proxy_http:error] [pid 19633] [client 8*.15*.2*.1**:47097] AH01097: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 8*.15*.2*.1** (), referer: https://peertube.***.de/videos/upload

I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work.

Unless I am missing something, this configuration is very dangerous due to the inclusion of the ProxyRequests on. See https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests - this directive is not required to make ProxyPass work, and instead turns your Apache server into a forward proxy. This means that it can be used as an open proxy which can be used to connect to any host your Apache server can talk to, including other internal services running on localhost (possibly including non-HTTP services) - not just your PeerTube server running on localhost. Running an open proxy like this is a fantastic way to get on lists of problematic/infected/etc. IP addresses like, for example, Spamhaus XBL. Please remove this directive.

Also, while I'm at it, preload probably shouldn't be in the HSTS directive since people tend to not understand what that does. Instead there should be a comment telling folks to follow the instructions on hstspreload.org (see https://hstspreload.org/#opt-in for where this advice/request comes from).

(Again, please tell me if I'm missing something - I'd love to be corrected 😅)

Thanks for your file.
With this configuration, i got several error log lines like this : AH00082: an unknown filter was not added: RATE_LIMIT
Can this be avoided by adding directives ?

maybe somebody still searches this:
you either add:
LoadModule ratelimit_module modules/mod_ratelimit.so
or delete:

                SetOutputFilter RATE_LIMIT
                SetEnv rate-limit 800

@strugee thanks for the notification! I corrected it.

@rigelk thank you! 🎉

please note that isn't enough to make the configuration on par with the file serving optimizations of the project's Nginx configuration. I'm open to contributions for that 🙂

Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this:

[Sat Apr 25 21:50:31.382970 2020] [proxy_http:error] [pid 19633] [client 8*.15*.2*.1**:47097] AH01097: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 8*.15*.2*.1** (), referer: https://peertube.***.de/videos/upload

I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work.

Hi,
I am facing this very much the same problem. Were you able to resolve the issue in the meantime?
Martin.

Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this:
[Sat Apr 25 21:50:31.382970 2020] [proxy_http:error] [pid 19633] [client 8*.15*.2*.1**:47097] AH01097: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 8*.15*.2*.1** (), referer: https://peertube.***.de/videos/upload
I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work.

Hi,
I am facing this very much the same problem. Were you able to resolve the issue in the meantime?
Martin.

Hello, any news about this issue ? thanks.

Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this:
[Sat Apr 25 21:50:31.382970 2020] [proxy_http:error] [pid 19633] [client 8*.15*.2*.1**:47097] AH01097: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 8*.15*.2*.1** (), referer: https://peertube.***.de/videos/upload
I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work.

Hi,
I am facing this very much the same problem. Were you able to resolve the issue in the meantime?
Martin.

Hello, any news about this issue ? thanks.

Hi!
No, not that I'm aware of. As has been pointed out this configuration is outdated and apparently peertube's devs do not and don't plan on supporting the Apache 2 web server with a configuration. I don't know enough about nginx to see in which way the necessary configuration could be replicated with apache and so my takeaway is that maybe it can't be replicated and as of now peertube doesn't fully work with apache.

Thanks for telling, I kind of solved the problem by uploading larger videos with the command line and not via the web interface. Otherwise I am pretty satisfied. Martin.

--- -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF/VIZ8BEADrUBes4ZkfCVpNpChElDxCwIorpTjiZIrzTXvXKX4zH1pQrF/c i6XJ9R6B2y/XPm22VrdngLErqBvM60LIVwrAplPrenc+UQJ7829IpaNcb/DqnYlB 2Q418bP3J9CN36NlQFNGeycc5pEt9E01MWjxN5YHAyYNEokNj7/OclD83d4aTvLP OyZSChH2IKvywM8E/bclNVHYeyxkJtbuwyBu+IRQojm02PzuomPUARuTCAutCF3k N45kA6tMYXuW03Mn4yyDKp/p8NQ59KyPj1WJVlxvpIzk+hh0Wrrq0sbXbav7jg3a oV1tjjK320NxvLzs7QZI0lcjojamMdHc9tm43/31PxL+CQQcTLlm2xeBjsYfEACE p1d+OWiDB0jN7TX6sBoWlz9lpSUSwnldVW3n2JHhY84gSQhujF5gccCpupUet8hq MBmFp42h+dXx8dzpeXqBoHeCn5Q6NtxGEG0mu5RYNaHvgrx00G66cutIVZUfryZm l3oq/WKVXGc4x/Zvv8RIiPWFmY0DEczE2fN5Way0Yo1x9WT3UZMkdnZhIcEqUVKU hIuvSkwr30/ZS7TIE1wwheWDfjpLZ7zEhjiK5PAV+AFjKl/Sjptsjc+YsHG1MDHa JM2GLoLIxbZMuj7ENWUQBw7e2zukyQKVcH+6FXSH6BJUt7Vd7SO9tWX1MQARAQAB tCtNYXJ0aW4gU3RlbnplbCA8bS5zdGVuemVsQG1haWwueHktc3BhY2UuZGU+iQI1 BBABCAAfBQJf1SGfBgsJBwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRBJ6ZRm52MB SATxD/9AOdsZR+GecHbk9NJQz0xeW2HU4nshPqXVAHdmq3SfMLP/BhHgKNth5t1B iX9U1l4ivGO0IZNWTlCHQj6/WnmDD+QyagyLVED4BE2aBKqKE7e+p99CzYb1yHzL NYoMs0GupBbUr5tYAKpc5ed2TjOLTnhM9zrzT98UhUlr0kkIyOOjKFFeM+ulAgJp C+2049qq02l1XU/RUI/ip/surJtOLO4GOLjUmmT3L/4gEPOx6BQ7Tql1/3RNGMfa q0B1fYdA+mqCghbp9DAvQoOljUV5+nnF31ZyiXoFY1APsYyzxkwOg4SIleujM9bm vTaQSyT8hyGVnhye1E9wOtTdeCvps3kg0iVV0SX+AJ+uuYsGs2UZsVkrFsA9qA6F uUMT+JUWT11RqagotqH7pucUmt5F3aFTzkuEeJW6fXvuSx0eBQWG4XIIpc0J5nuZ wbSFVGsjKWS8BV3agxiqtillJq3qbCSAIutbiRroupk6DTAV+/tfvDo6O6vmzpD/ F13xCWqx0pQO6/K9eku5lYCWwRoNAnmm92YMI50N4CISfGHw1DUNMHjxQj3axRtv mWCwEKjrRU7OWfDNzzJQgglwhWQChli4kNHHC0aVCUCF3HWjcW0qSg0hdMBsB7Qt zVXxEFg0k5zYl+z+L0nzx2hMreYYuX5JRqLztcpwF79rFJZgKrkCDQRf1SGfARAA ypFKB4gczOB1nrJ/cnzkCG/bv4G8/1NCE3uxYLhxVpWwVW+mutuqGpaxIL4cJjpu HCBrhECSWbqYDTiKAeLFpU3WAewjUnJQ1bE1TcFJXxuRXhcHY4o5ZDrJ4c3UmvEt G3lPuVWk0L5LNhkjGuJ46TAxTntWiB+OLRuPCEeiXoAaqsi6+VC1uMc3VouparrV o1H2fUZCJ4XcxBNZmpgs7z573r0L7HfMN62Ox5QSjVSMCv5ZNWum7hJGl+6IeFD0 KgxwbCAHiJMBsv0TMkwtj3CUk//S/mQgMwhxKrmMqyf/uC6mbbVAgr4KcA4LPkYT B0+ZmplZjb07Raz3fheEI8GirQeyH5VQpcTuJ1PLUPxIFS71L/VrZW14ScTy/Eng b/4fDfEpv+zly8RuVja6jbjbxTZSXGrNE7GF3cu5n0d1W2f0IZSceiQ88wglMeRh aesY3LBWhwwLGMwhXR9avv1zw7vyRDkbGR+4LZ0e0gf3DWFCrGmMy7xk9ZR/lNKK B6zzPPjiYbPL9ooyVrhKeGZGniS4i6v8N/Ps/E9G/cBkPBD6wA7BqgJIy6Xol4yW xgg7LMueg2hlbKWmSIL0q9x/CU2jH5Y8h9w3T9zBAFY5q1gXiST1MKuvY21lGZuK 2GfAkp6fl46k6TboWdxvi/Sb7C+VtXBCQD0HQB5dyPkAEQEAAYkCHwQYAQgACQUC X9UhnwIbDAAKCRBJ6ZRm52MBSKRfEACij4CVjrWhb71aZ3q/m7MQ/2q98cbLVKKD A6wcIuW18e6S1jTewG6uAu+fpXS97OPKgZcQj+jf77qx1VL+UrhL56otOhDQBsuv UQn9JmWtTSTqN3q1niTUJomL94QeWcvK/TS00hIAd8ibrlJHy0iVQpHiswwXjtay f7szsWeA73sg95X8pPYsTkzImbuU2V3l+mHgD9PRj26AuTyyBpuxopjRV8Fv+T0M yNwIdX+bxQbgAfz6DjDJuQjdCE25heLxsIsdECu4icSB+C0r64E+YposlCgojg2o tDEPcqI5AIUmudKuLsz0aE8MGs+Ao9AwvoSZvxaRH9HRuNvjTvVh/8mvlvPGrcpP jp2nteZGmK6K4jfWKpWzel2CrE0HgUuUuIvDnLn3KjfYbTCUePY//hoOzh8tUIpu dsYakaHovL1JcYNQp8B6O1FdhDWPZcXIFXE0e+Ze9qaoL42b5ffJbQmCp0uxM1OP WD+daDacEfzsp8q6BmzjLBeA80gHK3W2Zt+ZfTN8/HmAV8ukhPlSv2wAnJLt7TDP L4/UG+QKbEpdrstJxcO+pY32Q/GoCyr///kW8koUe8ON9W0xx79AaOKv9z7f9n9V UwdhUYhprUDCUASgDzDJO69R4TO1CQc9AK6FtgT0NE4jHU7xvEsPUpIaqGy+zQQN 2GvBVs8FBw== =y232 -----END PGP PUBLIC KEY BLOCK-----

On 2021-04-14 18:37, yodahome wrote: @yodahome commented on this gist. ------------------------- Thanks for this configuration, it seems to mostly work for me, however uploads of videos of a certain size(above 300 MB apparently) seem to fail and I get 502 errors with log entries like this: [Sat Apr 25 21:50:31.382970 2020] [proxy_http:error] [pid 19633] [client 8*.15*.2*.1**:47097] AH01097: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 8*.15*.2*.1** (), referer: https://peertube.***.de/videos/upload I did split up the config file into several files (one for each vhost and one common .conf), is it possible this is a proxy problem? Because I'm not quite sure why this fails, but smaller videos do work. Hi, I am facing this very much the same problem. Were you able to resolve the issue in the meantime? Martin.

Hello, any news about this issue ? thanks. Hi! No, not that I'm aware of. As has been pointed out this configuration is outdated and apparently peertube's devs do not and don't plan on supporting the Apache 2 web server with a configuration. I don't know enough about nginx to see in which way the necessary configuration could be replicated with apache and so my takeaway is that maybe it can't be replicated and as of now peertube doesn't fully work with apache.

…

-- You are receiving this because you commented. Reply to this email directly, view it on GitHub [1], or unsubscribe [2]. Links: ------ [1] https://gist.github.com/07a0b8963fa4fc1ad756374c28479bc7#gistcomment-3706156 [2] https://github.com/notifications/unsubscribe-auth/ASK2NWCMYDHJSWBYM6GN3JTTIXAEJANCNFSM4JQSUGFA

this is very sad that apache is not supported since hundred of millions of web server runs apache, and btw being the major web server on internent. anyhow, i'm working on it to support it, if nginx can do it, apache too.

this is very sad that apache is not supported since hundred of millions of web server runs apache, and btw being the major web server on internent. anyhow, i'm working on it to support it, if nginx can do it, apache too.

I absolutely agree with you, I desperately waiting for working Apache config so I can upgrade to v3.x

this is very sad that apache is not supported since hundred of millions of web server runs apache, and btw being the major web server on internent. anyhow, i'm working on it to support it, if nginx can do it, apache too.

I absolutely agree with you, I desperately waiting for working Apache config so I can upgrade to v3.x

Well, there is no officially supported config for Apache 2, but I've got it working using this very basic config in my vhost, so it seems this is no longer an issue:

ProxyPreserveHost On
ProxyRequests On

#ProxyTimeout 600
# Websocket tracker

RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>

I'm not using the docker installation of course.

@yodahome
looks good, however I would like to make test on proxy balancer configuration if possible too.

@rigelk
Do you have any good nginx config sample file with the optimizations you are talking about so I can find the equivalent on apache (if it exists of course)?

Well, there is no officially supported config for Apache 2, but I've got it working using this very basic config in my vhost, so it seems this is no longer an issue:

ProxyPreserveHost On
ProxyRequests On

#ProxyTimeout 600
# Websocket tracker

RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>

I'm not using the docker installation of course.

@yodahome
This sounds promising, have you checked if all peertube functions are executed without errors? I'm a little afraid that not all peertube features are properly supported, but this may not be immediately noticeable.
I don't use Docker either and would like to start a test with your config next weekend, it looks almost too simple to be true 😁
Thank you for sharing your config.

With that configuration, views will not be counted properly, nor will the API be protected against body size DoS attacks. Static files will be going through PeerTube before being handled by Apache, which means performance-wise, no gain is made from letting the PeerTube process do all the work. No Access-Control-Allow-Origin is set on some static assets, which means browsers on other domains running anything else than PeerTube (like, Pleroma displaying a PT account's avatar) will have errors.

Well, there is no officially supported config for Apache 2, but I've got it working using this very basic config in my vhost, so it seems this is no longer an issue:

ProxyPreserveHost On
ProxyRequests On

#ProxyTimeout 600
# Websocket tracker

RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L]
<Location />
ProxyPass http://127.0.0.1:9000/
</Location>

I'm not using the docker installation of course.

@yodahome
This sounds promising, have you checked if all peertube functions are executed without errors? I'm a little afraid that not all peertube features are properly supported, but this may not be immediately noticeable.
I don't use Docker either and would like to start a test with your config next weekend, it looks almost too simple to be true 😁
Thank you for sharing your config.

Well, what I have tested is: Video upload via web interface, federating with a bunch of other instances, subscribing to remote channels, viewing remote video (on my instance that is), liking, commenting, installing themes & plugins, registration, most stuff on the administration end I'd say. I have not yet tested whether I'm federating my videos properly although I have no indication (errors or logs) to believe otherwise.

I'm not saying this is a polished configuration, but it's a place to start from and then possibly try adding some of the options mentioned in the initial post as long as they don't break anything. I haven't had the time to do that but I assume it's possible. It's most certainly not optimized, but again, it's working for myself so far and I might test with a few users too. I don't plan on hosting a huge crowd or thousands of videos. 😉

With that configuration, views will not be counted properly, nor will the API be protected against body size DoS attacks. Static files will be going through PeerTube before being handled by Apache, which means performance-wise, no gain is made from letting the PeerTube process do all the work. No Access-Control-Allow-Origin is set on some static assets, which means browsers on other domains running anything else than PeerTube (like, Pleroma displaying a PT account's avatar) will have errors.

Hmm, so far the views on my local videos seem accurate, under which circumstances wouldn't they be? Do you mean federated views or views on remote videos?
And as mentioned above, in a next step I would try to add other options back in. I understand this is all primarily experimental at this point, but it's better than PT not working in Apache 2 at all.

having read the peetube nginx conf there is nothing really special that apache cannot do. The trick is to find the best apache settings that reacts like nginx at least, and maybe better.

Hmm, so far the views on my local videos seem accurate, under which circumstances wouldn't they be? Do you mean federated views or views on remote videos?

Maybe you haven't run into the problem so far, but without passing the proper IP through, the peertube process will only see the loopback adress as emitting the view. If you are alone watching videos, or not watching the same videos in a short timespan, then you are fine. Federated views are not impacted.

@rigelk
to get tie client ip intact

RemoteIPHeader X-Client-IP
RemoteIPHeader X-Forwarded-For

Thanks for providing the config! Works!

I would like to create a repo especially for peertube apache config respecting the default nginx peertube config.
who are intrested I start it please thumb up.

I would like to create a repo especially for peertube apache config respecting the default nginx peertube config. who are intrested I start it please thumb up.

I, for myself, installed both apache & nginx on the machine, and this works very well, with the help of a port (443) multiplexer

https://github.com/yrutschle/sslh

Martin.

@M-Stenzel
interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default

Here is the full apache config which is the closest of the nginx peertube default

---

SSLSessionCache                 "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout          87400
SSLStaplingCache                shmcb:logs/stapling-cache(150000)

# Minimum Apache version required:  2.4.32 (released March 14th, 2018)
# Please check your Apache installation features the following modules via 'apachectl -M':
# STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module
# THIRD PARTY MODULES:   None.
# check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security

SSLSessionCache                 "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
SSLSessionCacheTimeout          87400
SSLStaplingCache                shmcb:logs/stapling-cache(150000)

<VirtualHost *:80 [::]:80>

	Protocols h2c http/1.1
	ServerName peertube.example.com
	ServerAdmin webmaster@example.com
	
	ErrorLog "/var/log/httpd/[peertube.example.com].error.log"
	CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog

	RewriteEngine on
	RewriteOptions inherit
	
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	Alias /.well-known/acme-challenge/ /var/www/certbot/
	<Directory "/var/www/certbot">
		Options None
		AllowOverride None
		ForceType text/plain
		RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
		Require method GET POST OPTIONS
	</Directory>
	
</VirtualHost>

<VirtualHost *:443 [::]:443>
	Protocols h2 http/1.1

	ServerName example.com
	ServerAlias peertube.example.com

	RewriteEngine on
	RewriteOptions inherit

	CustomLog	"/usr/local/apache/logs/peertube.access.log" common "env=!dontlog"
	ErrorLog	"/usr/local/apache/logs/example.com.error.log"

	##
	# Certificates
	# you need a certificate to run in production. see https://letsencrypt.org/
	##
	
	SSLEngine	on
	SSLProxyEngine	on
	SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem
	
	##
	# Security hardening (as of Nov 15, 2020)
	# based on Mozilla Guideline v5.6
	##
	
	SSLProtocol             	all -SSLv3 -TLSv1 -TLSv1.1
	# SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
	SSLCipherSuite			ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	SSLHonorCipherOrder		on
	SSLSessionTickets		off
	SSLUseStapling			on

	Header always set       Strict-Transport-Security "max-age=8740000; includeSubDomains; preload"
	Header always set	X-Content-Type-Options nosniff
	Header always set	X-Robots-Tag none
	Header always set	X-XSS-Protection "1; mode=block"
	
	##
	# Application
	##

	LimitRequestBody		102400
	ProxyReceiveBufferSize		0
	KeepAliveTimeout		10
	ProxyTimeout			900
	
	<Location "/api/v1/videos/upload-resumable">
		LimitRequestBody	0
	</Location>

	<LocationMatch "^/api/v1/videos/(upload|([^/]+/studio/edit))$">
		Order allow,deny
		Allow from all
		<LimitExcept POST HEAD>
			Deny from all
		</LimitExcept>

		# This is the maximum upload size, which roughly matches the maximum size of a video file.
		# Note that temporary space is needed equal to the total size of all concurrent uploads.
		# You may want to put this directory on a dedicated filesystem.
		LimitRequestBody 12884901888
		# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
		Header always set	X-File-Maximum-Size 8G
	</LocationMatch>

	<LocationMatch "^/api/v1/(videos|video-playlists|video-channels|users/me)">
		LimitRequestBody 6291456
		# inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody)
		Header always set	X-File-Maximum-Size 4M
	</LocationMatch>
	
	##
	# Performance optimizations
	# Compression enabled automatically by filter_module
	DocumentRoot /var/www/peertube
	RequestReadTimeout body=30 header=10
	Options +FollowSymLinks -SymLinksIfOwnerMatch

	# http/2 tuning
	H2Push		on
	H2PushPriority	*			after
	H2PushPriority	txt/css			before
	H2PushPriority	image/jpeg		after		32
	H2PushPriority	image/png		after		32
	H2PushPriority	application/javascript	interleaved

	# Bypass PeerTube for performance reasons. Optional.
	# Should be consistent with client-overrides assets list in /server/controllers/client.ts
	<LocationMatch "^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$">
		# Cache 1 year
		Header always set	Cache-Control "public, max-age=31536000, immutable"
		RewriteCond %{DOCUMENT_ROOT}/storage/client-overrides/$1 -f
		RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/storage/client-overrides/$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$">
		# Cache 1 year
		Header always	set Cache-Control "public, max-age=31536000, immutable"
		RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/static/(thumbnails|avatars)/">
		Header always set	Access-Control-Allow-Origin    "*"
                Header always set       Access-Control-Allow-Credentials "true"
                Header always set       Access-Control-Allow-Headers     "Retry-After"
		Header always set	Access-Control-Allow-Methods   "GET, OPTIONS"
		Header always set	Access-Control-Allow-Headers   "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

		<If "%{REQUEST_METHOD} == 'OPTIONS'">
			# Preflight request can be cached 20 days
			Header always set	Access-Control-Max-Age       1728000
			Header always set	Content-Type                 "text/plain charset=UTF-8"
			Header always set	Content-Length               0
			RedirectMatch 204 ^(.*)$
		</If>

		# Cache response 2 hours
		Header always set	Cache-Control                  "public, max-age=7200"

		RewriteRule ^/static/(.*)$ /$1 [L]
	</LocationMatch>

	# Bypass PeerTube for performance reasons. Optional.
	<LocationMatch "^/static/(webseed|redundancy|streaming-playlists)/">
		# Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
		SetOutputFilter RATE_LIMIT

		# Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
		<If "%{REQUEST_URI} =~ /^((.*).mp4|[-0-9]+.ts)$/">
			SetEnv rate-limit       5120
			SetEnv rate-limit-burst 6144
		</If>
		<Else>
			SetEnv rate-limit       832
			SetEnv rate-limit-burst 1024
		</Else>

		<If "%{REQUEST_METHOD} == 'OPTIONS'">
			Header always set       Access-Control-Allow-Origin  "*"
                        Header always set       Access-Control-Allow-Credentials "true"
                        Header always set       Access-Control-Allow-Headers     "Retry-After"
			Header always set       Access-Control-Allow-Methods "GET, OPTIONS"
			Header always set       Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
			# Preflight request can be cached 20 days
			Header always set       Access-Control-Max-Age       1728000
			Header always set       Content-Type                 "text/plain charset=UTF-8"
			Header always set       Content-Length               0
			RedirectMatch 204 ^(.*)$
		</If>

		<If "%{REQUEST_METHOD} == 'GET'">
			Header always set       Access-Control-Allow-Origin  "*"
                        Header always set       Access-Control-Allow-Credentials "true"
                        Header always set       Access-Control-Allow-Headers     "Retry-After"
			Header always set       Access-Control-Allow-Methods "GET, OPTIONS"
			Header always set       Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

			# Don't spam access log file with byte range requests
			SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog
		</If>

		# Enabling the sendfile directive eliminates the step of copying the data into the buffer
		# and enables direct copying data from one file descriptor to another.
		# To disable if the folder is on a network filesystem like NFS or other.
		EnableSendfile on

		<If "%{REQUEST_URI} =~ /^\x2Fstatic\x2Fwebseed\x2F(.*)$/">
			Header always set       Cache-control   "no-cache, no-store"
		</If>

		RewriteRule ^/static/webseed/(.*)$ /videos/$1 [L]
		RewriteRule ^/static/(.*)$ /$1 [L]
	</LocationMatch>

	<Location "/videos/embed">
		Header unset X-Frame-Options
	</Location>

        <Location "/tracker/socket">
                Define increaseTimeout true
        </Location>

        <IfDefine "${increaseTimeout}">
                RequestReadTimeout handshake=5 header=900,MinRate=0 body=900,MinRate=0
        </IfDefine>

        # Websocket
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule ^(.*)$ ws://127.0.0.1:9000$1 [L]

	<Location "/">
		ProxyPas http://127.0.0.1:9000/ flushpackets=on keepalive=on enablereuse=on
		ProxyRequests off
	</Location>
</VirtualHost>

Pay attention that I'm oftenly updating this config so please check time to time

@ROBERT-MCDOWELL

interesting, but I want to avoid another layer of software and offer an apache conf from peertube nginx default

I agree, I prefer to keep things as simple as possible as well.

Attached the full apache config which is the closest of the nginx peertube default

Thank you