Last active
April 30, 2024 13:40
-
-
Save rigelk/07a0b8963fa4fc1ad756374c28479bc7 to your computer and use it in GitHub Desktop.
a now OUTDATED httpd/Apache vhost to run PeerTube | note that only Nginx is supported by the PeerTube team, and with this or any other Apache configuration, you will likely get NO SUPPORT.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # requires WebSocket support with `a2enmod proxy_wstunnel` | |
| # check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security | |
| <VirtualHost *:80 [::]:80> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2c http/1.1 | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
| <Directory /var/www/certbot> | |
| Options None | |
| AllowOverride None | |
| ForceType text/plain | |
| RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
| Require method GET POST OPTIONS | |
| </Directory> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> | |
| <VirtualHost *:443 [::]:443> | |
| ServerName peertube.example.com | |
| ServerAdmin webmaster@example.com | |
| Protocols h2 http/1.1 | |
| SSLEngine on | |
| # For example with certbot (you need a certificate to run https) | |
| SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Bypass PeerTube webseed route for better performances | |
| Alias /static/webseed /var/www/peertube/storage/videos | |
| <Location /static/webseed> | |
| # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
| SetOutputFilter RATE_LIMIT | |
| SetEnv rate-limit 800 | |
| SetEnvIf Request_Method "GET" GETMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=GETMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
| SetEnvIf GETMETH "1" dontlog | |
| SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
| Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
| Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
| Header set Content-Length "0" env=OPTIONSMETH | |
| </Location> | |
| <Location /videos/embed> | |
| Header unset X-Frame-Options | |
| </Location> | |
| ProxyPreserveHost On | |
| ProxyTimeout 600 | |
| # Websocket tracker | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
| <Location /> | |
| ProxyPass http://127.0.0.1:9000/ timeout=600 | |
| </Location> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> |
@joho1968 ok after some reflections I think the best is to strictly follow the nginx default conf so it won't give more confusion and it's up to the skills of the server admin to fix his own security way....
@ROBERT-MCDOWELL Thanks for the update :)
I didn't realise you had left the Proxy options out on purpose. I thought that peertube only worked with a reverse proxy so I was a bit confused why some of the lines in the original gist for reverse proxy were commented out.
I'm on so many different repo and work that I think you are right, PT works as default with a reverse proxy... even if it certainly can work without proxy ;)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@joho1968 I just realize my answer was a little confused, so in my gist here
PeerTube v5: https://gist.github.com/ROBERT-MCDOWELL/0ed82ec304fa76de9ff52cc4a5a49e4c
PeerTube >= v6: https://gist.github.com/ROBERT-MCDOWELL/7a55548d51a82080270b3184cd27ed36
I didn't put any CORS settings since it's not related to PeerTube and very personal as some server admins have their own way to allow or not certain websites and how (from the deprecated x-frame-options or content-security-policy) which is to vast and out of the PeerTube scope, even if the PT nginx conf shows Header set Access-Control-Allow-Origin "*" which is not really secure. But what's the best for you guys? to strictly follow the nginx default conf or a more secure apache one?