--- /dev/null
+# A complementary information
+
+:information_source: we're going to start with a working jail, with network up and access to pkg archive.
+
+
+:information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.
+
+## Read and apply the dependencies instructions.
+
+Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.
+
+## Go to the production page
+
+The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.
+
+Most of the instruction MUST be done before we continue with specific instructions:
+
+- create the peertube user
+- create the database
+
+:warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).
+
+```
+set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest PeerTube version is $VERSION"
+```
+Then we use the command to download and extract PeerTube as visible in the production page.
+
+## PeerTube configuration
+
+Nothing change in this part, please read the documentation.
+
+## Webserver
+
+:warning: this is the most different part.
+
+The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:
+
+```
+# mkdir /usr/local/etc/nginx/sites_{available,enabled}
+```
+Then we copy the sample nginx configuration file exactly as explained in the official documentation.
+
+### The certificate problem
+
+We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
+
+Please read the `dehydraded` documentation in order to generate your PeerTube instance certificate.
+
+:information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.
+
+## ON THE HOST ###
+
+We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..
+
+:information_source: remember to replace `example.com` by your own FQDN.
+
+:information_source: remember to replace `w.x.y.z` by your jail IP address.
+
+```
+server {
+
+ # First, as for all webserver, we listen to 80 port
+ listen 80;
+
+ # give our server_name
+ server_name peertube.example.com;
+
+ # create some logfiles
+ access_log /var/log/nginx/peertube_access.log;
+ error_log /var/log/nginx/peertube_error.log;
+
+ # redirect permantly to https
+ rewrite ^ https://$server_name/$request_uri permanent;
+}
+
+server{
+
+ # The https part
+ listen 443 ssl http2;
+
+ # The server-name again
+ server_name peertube.example.com;
+
+ # We use the same log files as below
+ access_log /var/log/nginx/peertube_access.log;
+ error_log /var/log/nginx/peertube_error.log;
+
+ # We activate the ssl engine and give it the path to the fullchain certificate
+ # and the private key
+ ssl on;
+ ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
+
+ # The root location (/) will be redirect
+ # We add some header and VERY IMPORTANT, the client_max_body_size
+ # set to 4G (the maximum size PeerTube video)
+ location / {
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://w.x.y.z/;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ client_max_body_size 4G;
+ }
+```
+
+We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
+
+```
+ # We also let the host to deal with the websocket
+ # and transfer it to the jail on port 9000 (the peertube port)
+
+ location /tracker/socket {
+ # Peers send a message to the tracker every 15 minutes
+ # Don't close the websocket before this time
+ proxy_read_timeout 1200s;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_pass http://w.x.y.z:9000;
+ }
+
+}
+```
+
+Save the file, make the link to have it in `sites_enabled` folder:
+
+```
+# ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
+```
+
+Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
+
+```
+# nginx -t
+nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
+```
+
+If it's you can reload nginx configuration:
+
+```
+# nginx -s reload
+```
+
+## BACK TO THE JAIL ##
+
+
+On the jails we are going to make a lot of changes in the nginx configuration.
+
+- remove all the ssl configuration (line 16 to 34):
+
+```
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name peertube.example.com;
+
+ # For example with certbot (you need a certificate to run https)
+ ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
+
+ # Security hardening (as of 11/02/2018)
+ ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
+ ssl_session_timeout 10m;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_tickets off; # Requires nginx >= 1.5.9
+ ssl_stapling on; # Requires nginx >= 1.3.7
+ ssl_stapling_verify on; # Requires nginx => 1.3.7
+```
+
+- remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
+
+```
+ # Websocket tracker
+ location /tracker/socket {
+ # Peers send a message to the tracker every 15 minutes
+ # Don't close the websocket before this time
+ proxy_read_timeout 1200s;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_pass http://localhost:9000;
+ }
+```
+
+Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
+
+```
+server {
+ listen 80;
+ server_name peertube.example.com;
+
+ access_log /var/log/nginx/peertube.access.log;
+ error_log /var/log/nginx/peertube.error.log;
+
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+
+ location ^~ '/.well-known/acme-challenge' {
+ default_type "text/plain";
+ root /var/www/certbot;
+ }
+
+ location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
+ add_header Cache-Control "public, max-age=31536000, immutable";
+
+ alias /var/www/peertube/peertube-latest/client/dist/$1;
+ }
+
+ location ~ ^/static/(thumbnails|avatars)/(.*)$ {
+ add_header Cache-Control "public, max-age=31536000, immutable";
+
+ alias /var/www/peertube/storage/$1/$2;
+ }
+
+ location / {
+ proxy_pass http://localhost:9000;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ # Hard limit, PeerTube does not support videos > 4GB
+ client_max_body_size 4G;
+ proxy_connect_timeout 600;
+ proxy_send_timeout 600;
+ proxy_read_timeout 600;
+ send_timeout 600;
+ }
+
+ # Bypass PeerTube webseed route for better performances
+ location /static/webseed {
+ # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+ limit_rate 800k;
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+
+ if ($request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+ # Don't spam access log file with byte range requests
+ access_log off;
+ }
+
+ alias /var/www/peertube/storage/videos;
+ }
+
+ # Websocket tracker
+
+ ## Moved in host nginx config
+}
+```
+
+## Last words
+
+Be sure to save and keep your configuration files, a PeerTube update could crush them.
+
+## Thanks
+Thanks to Chocobozzz who created PeerTube, to Framasoft for being part of PeerTube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
+
+If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)
+++ /dev/null
-# A complementary information
-
-:information_source: we're going to start with a working jail, with network up and access to pkg archive.
-
-
-:information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.
-
-## Read and apply the dependencies instructions.
-
-Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.
-
-## Go to the production page
-
-The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.
-
-Most of the instruction MUST be done before we continue with specific instructions:
-
-- create the peertube user
-- create the database
-
-:warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).
-
-```
-set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest Peertube version is $VERSION"
-```
-Then we use the command to download and extract Peertube as visible in the production page.
-
-## Peertube configuration
-
-Nothing change in this part, please read the documentation.
-
-## Webserver
-
-:warning: this is the most different part.
-
-The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:
-
-```
-# mkdir /usr/local/etc/nginx/sites_{available,enabled}
-```
-Then we copy the sample nginx configuration file exactly as explained in the official documentation.
-
-### The certificate problem
-
-We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
-
-Please read the `dehydraded` documentation in order to generate your Peertube instance certificate.
-
-:information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.
-
-## ON THE HOST ###
-
-We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..
-
-:information_source: remember to replace `example.com` by your own FQDN.
-
-:information_source: remember to replace `w.x.y.z` by your jail IP address.
-
-```
-server {
-
- # First, as for all webserver, we listen to 80 port
- listen 80;
-
- # give our server_name
- server_name peertube.example.com;
-
- # create some logfiles
- access_log /var/log/nginx/peertube_access.log;
- error_log /var/log/nginx/peertube_error.log;
-
- # redirect permantly to https
- rewrite ^ https://$server_name/$request_uri permanent;
-}
-
-server{
-
- # The https part
- listen 443 ssl http2;
-
- # The server-name again
- server_name peertube.example.com;
-
- # We use the same log files as below
- access_log /var/log/nginx/peertube_access.log;
- error_log /var/log/nginx/peertube_error.log;
-
- # We activate the ssl engine and give it the path to the fullchain certificate
- # and the private key
- ssl on;
- ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
-
- # The root location (/) will be redirect
- # We add some header and VERY IMPORTANT, the client_max_body_size
- # set to 4G (the maximum size peertube video)
- location / {
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://w.x.y.z/;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- client_max_body_size 4G;
- }
-```
-
-We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
-
-```
- # We also let the host to deal with the websocket
- # and transfer it to the jail on port 9000 (the peertube port)
-
- location /tracker/socket {
- # Peers send a message to the tracker every 15 minutes
- # Don't close the websocket before this time
- proxy_read_timeout 1200s;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_http_version 1.1;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $host;
- proxy_pass http://w.x.y.z:9000;
- }
-
-}
-```
-
-Save the file, make the link to have it in `sites_enabled` folder:
-
-```
-# ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
-```
-
-Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
-
-```
-# nginx -t
-nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
-nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
-```
-
-If it's you can reload nginx configuration:
-
-```
-# nginx -s reload
-```
-
-## BACK TO THE JAIL ##
-
-
-On the jails we are going to make a lot of changes in the nginx configuration.
-
-- remove all the ssl configuration (line 16 to 34):
-
-```
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name peertube.example.com;
-
- # For example with certbot (you need a certificate to run https)
- ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-
- # Security hardening (as of 11/02/2018)
- ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
- ssl_prefer_server_ciphers on;
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
- ssl_session_timeout 10m;
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off; # Requires nginx >= 1.5.9
- ssl_stapling on; # Requires nginx >= 1.3.7
- ssl_stapling_verify on; # Requires nginx => 1.3.7
-```
-
-- remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
-
-```
- # Websocket tracker
- location /tracker/socket {
- # Peers send a message to the tracker every 15 minutes
- # Don't close the websocket before this time
- proxy_read_timeout 1200s;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_http_version 1.1;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $host;
- proxy_pass http://localhost:9000;
- }
-```
-
-Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
-
-```
-server {
- listen 80;
- server_name peertube.example.com;
-
- access_log /var/log/nginx/peertube.access.log;
- error_log /var/log/nginx/peertube.error.log;
-
- add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
-
- location ^~ '/.well-known/acme-challenge' {
- default_type "text/plain";
- root /var/www/certbot;
- }
-
- location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
- add_header Cache-Control "public, max-age=31536000, immutable";
-
- alias /var/www/peertube/peertube-latest/client/dist/$1;
- }
-
- location ~ ^/static/(thumbnails|avatars)/(.*)$ {
- add_header Cache-Control "public, max-age=31536000, immutable";
-
- alias /var/www/peertube/storage/$1/$2;
- }
-
- location / {
- proxy_pass http://localhost:9000;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
- # Hard limit, PeerTube does not support videos > 4GB
- client_max_body_size 4G;
- proxy_connect_timeout 600;
- proxy_send_timeout 600;
- proxy_read_timeout 600;
- send_timeout 600;
- }
-
- # Bypass PeerTube webseed route for better performances
- location /static/webseed {
- # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
- limit_rate 800k;
-
- if ($request_method = 'OPTIONS') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'text/plain charset=UTF-8';
- add_header 'Content-Length' 0;
- return 204;
- }
-
- if ($request_method = 'GET') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-
- # Don't spam access log file with byte range requests
- access_log off;
- }
-
- alias /var/www/peertube/storage/videos;
- }
-
- # Websocket tracker
-
- ## Moved in host nginx config
-}
-```
-
-## Last words
-
-Be sure to save and keep your configuration files, a Peertube update could crush them.
-
-## Thanks
-Thanks to Chocobozzz who created Peertube, to Framasoft for being part of Peertube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
-
-If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)
-
projects / oweals / peertube.wiki.git / commitdiff