--- /dev/null
+# A omplementary information
+
+:information_source: we're going to start with a working jail, with network up and access to pkg archive.
+
+
+:information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.
+
+## Read and apply the dependencies instructions.
+
+Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.
+
+## Go to the production page
+
+The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.
+
+Most of the instruction MUST be done before we continue with specific instructions:
+
+- create the peertube user
+- create the database
+
+:warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).
+
+```
+set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest Peertube version is $VERSION"
+```
+Then we use the command to download and extract Peertube as visible in the production page.
+
+## Peertube configuration
+
+Nothing change in this part, please read the documentation.
+
+## Webserver
+
+:warning: this is the most different part.
+
+The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:
+
+```
+# mkdir /usr/local/etc/nginx/sites_{available,enabled}
+```
+Then we copy the sample nginx configuration file exactly as explained in the official documentation.
+
+### The certificate problem
+
+We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
+
+Please read the `dehydraded` documentation in order to generate your Peertube instance certificate.
+
+:information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.
+
+## ON THE HOST ###
+
+We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..
+
+:information_source: remember to replace `example.com` by your own FQDN.
+
+:information_source: remember to replace `w.x.y.z` by your jail IP address.
+
+```
+server {
+
+ # First, as for all webserver, we listen to 80 port
+ listen 80;
+
+ # give our server_name
+ server_name peertube.example.com;
+
+ # create some logfiles
+ access_log /var/log/nginx/peertube_access.log;
+ error_log /var/log/nginx/peertube_error.log;
+
+ # redirect permantly to https
+ rewrite ^ https://$server_name/$request_uri permanent;
+}
+
+server{
+
+ # The https part
+ listen 443 ssl http2;
+
+ # The server-name again
+ server_name peertube.example.com;
+
+ # We use the same log files as below
+ access_log /var/log/nginx/peertube_access.log;
+ error_log /var/log/nginx/peertube_error.log;
+
+ # We activate the ssl engine and give it the path to the fullchain certificate
+ # and the private key
+ ssl on;
+ ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
+
+ # The root location (/) will be redirect
+ # We add some header and VERY IMPORTANT, the client_max_body_size
+ # set to 4G (the maximum size peertube video)
+ location / {
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://w.x.y.z/;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ client_max_body_size 4G;
+ }
+```
+
+We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
+
+```
+ # We also let the host to deal with the websocket
+ # and transfer it to the jail on port 9000 (the peertube port)
+
+ location /tracker/socket {
+ # Peers send a message to the tracker every 15 minutes
+ # Don't close the websocket before this time
+ proxy_read_timeout 1200s;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_pass http://w.x.y.z:9000;
+ }
+
+}
+```
+
+Save the file, make the link to have it in `sites_enabled` folder:
+
+```
+# ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
+```
+
+Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
+
+```
+# nginx -t
+nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
+```
+
+If it's you can reload nginx configuration:
+
+```
+# nginx -s reload
+```
+
+## BACK TO THE JAIL ##
+
+
+On the jails we are going to make a lot of changes in the nginx configuration.
+
+- remove all the ssl configuration (line 16 to 34):
+
+```
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name peertube.example.com;
+
+ # For example with certbot (you need a certificate to run https)
+ ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
+
+ # Security hardening (as of 11/02/2018)
+ ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
+ ssl_session_timeout 10m;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_tickets off; # Requires nginx >= 1.5.9
+ ssl_stapling on; # Requires nginx >= 1.3.7
+ ssl_stapling_verify on; # Requires nginx => 1.3.7
+```
+
+- remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
+
+```
+ # Websocket tracker
+ location /tracker/socket {
+ # Peers send a message to the tracker every 15 minutes
+ # Don't close the websocket before this time
+ proxy_read_timeout 1200s;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_http_version 1.1;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_pass http://localhost:9000;
+ }
+```
+
+Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
+
+```
+server {
+ listen 80;
+ server_name peertube.example.com;
+
+ access_log /var/log/nginx/peertube.access.log;
+ error_log /var/log/nginx/peertube.error.log;
+
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+
+ location ^~ '/.well-known/acme-challenge' {
+ default_type "text/plain";
+ root /var/www/certbot;
+ }
+
+ location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
+ add_header Cache-Control "public, max-age=31536000, immutable";
+
+ alias /var/www/peertube/peertube-latest/client/dist/$1;
+ }
+
+ location ~ ^/static/(thumbnails|avatars)/(.*)$ {
+ add_header Cache-Control "public, max-age=31536000, immutable";
+
+ alias /var/www/peertube/storage/$1/$2;
+ }
+
+ location / {
+ proxy_pass http://localhost:9000;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ # Hard limit, PeerTube does not support videos > 4GB
+ client_max_body_size 4G;
+ proxy_connect_timeout 600;
+ proxy_send_timeout 600;
+ proxy_read_timeout 600;
+ send_timeout 600;
+ }
+
+ # Bypass PeerTube webseed route for better performances
+ location /static/webseed {
+ # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+ limit_rate 800k;
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+
+ if ($request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+ # Don't spam access log file with byte range requests
+ access_log off;
+ }
+
+ alias /var/www/peertube/storage/videos;
+ }
+
+ # Websocket tracker
+
+ ## Moved in host nginx config
+}
+```
+
+## Last words
+
+Be sure to save and keep your configuration files, a Peertube update could crush them.
+
+## Thanks
+Thanks to Chocobozzz who created Peertube, to Framasoft for being part of Peertube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
+
+If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)
+
projects / oweals / peertube.wiki.git / commitdiff