-
-
Save rigelk/07a0b8963fa4fc1ad756374c28479bc7 to your computer and use it in GitHub Desktop.
| # requires WebSocket support with `a2enmod proxy_wstunnel` | |
| # check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security | |
| <VirtualHost *:80 [::]:80> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2c http/1.1 | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
| <Directory /var/www/certbot> | |
| Options None | |
| AllowOverride None | |
| ForceType text/plain | |
| RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
| Require method GET POST OPTIONS | |
| </Directory> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> | |
| <VirtualHost *:443 [::]:443> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2 http/1.1 | |
| SSLEngine on | |
| # For example with certbot (you need a certificate to run https) | |
| SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Bypass PeerTube webseed route for better performances | |
| Alias /static/webseed /var/www/peertube/storage/videos | |
| <Location /static/webseed> | |
| # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
| SetOutputFilter RATE_LIMIT | |
| SetEnv rate-limit 800 | |
| SetEnvIf Request_Method "GET" GETMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=GETMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
| SetEnvIf GETMETH "1" dontlog | |
| SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
| Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
| Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
| Header set Content-Length "0" env=OPTIONSMETH | |
| </Location> | |
| <Location /videos/embed> | |
| Header unset X-Frame-Options | |
| </Location> | |
| ProxyPreserveHost On | |
| ProxyTimeout 600 | |
| # Websocket tracker | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
| <Location /> | |
| ProxyPass http://127.0.0.1:9000/ timeout=600 | |
| </Location> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> |
indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....
I know. That's why I was a bit surprised to see them in your gist 😊 Would it be possible to update your gist with a scenario where PeerTube and (authorized) website can embed video from PT? Like the website is on https://web.domain1.com and PT is on https://video.domain2.com (i.e. it's not a sub-domain).
There also seems to be some confusion, not sure if it's with Apache or the browser(s) I've tried with, but to completely clear the header(s), I seem to need to do this:
Header always unset Access-Control-Allow-Origin
Header always unset access-control-allow-origin
I can't for the life of me figure out what is treating the header string value in a case sensitive manner.
i'ts not my gist here so I cannot change anything but my own config I posted here.
I re-read my config above and I noticed that I already set cross domain so theorically you don't have to do anything but copy/paste the config and everything will work. I use it for my server and I can see PT embeded stickers on twitter and else (when you click on it a new window is opening, so you don't watch the video in a embeded manner). Access-Control-Allow-Origin is the right string
I was having problems with the Getting client tokens for host 127.0.0.1:9000 is forbidden message too after copying the above linked configuration for v6. But after reading joho1968's comment I noticed that ProxyPreserveHost On and ProxyRequests On are missing from the gists linked by @ROBERT-MCDOWELL .
After adding them back in everything seems to be working :)
Thanks all for providing the apache config.
@af7567 fixed it. thanks!
@joho1968 I just realize my answer was a little confused, so in my gist here
PeerTube v5: https://gist.github.com/ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c
PeerTube >= v6: https://gist.github.com/ROBERT-MCDOWELL/7a55548d51a82080270b3184cd27ed36
I didn't put any CORS settings since it's not related to PeerTube and very personal as some server admins have their own way to allow or not certain websites and how (from the deprecated x-frame-options or content-security-policy) which is to vast and out of the PeerTube scope, even if the PT nginx conf shows Header set Access-Control-Allow-Origin "*" which is not really secure. But what's the best for you guys? to strictly follow the nginx default conf or a more secure apache one?
@joho1968 ok after some reflections I think the best is to strictly follow the nginx default conf so it won't give more confusion and it's up to the skills of the server admin to fix his own security way....
@ROBERT-MCDOWELL Thanks for the update :)
I didn't realise you had left the Proxy options out on purpose. I thought that peertube only worked with a reverse proxy so I was a bit confused why some of the lines in the original gist for reverse proxy were commented out.
I'm on so many different repo and work that I think you are right, PT works as default with a reverse proxy... even if it certainly can work without proxy ;)
indeed, but be aware that "*" allow any website of any domain to embed your peertube videos....