1 # A complementary information
3 :information_source: we're going to start with a working jail, with network up and access to pkg archive.
5 :information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.
7 There is also a tutorial (in french) about how to migrate PostgreSQL to its own jail: https://adminblog.foucry.net//Migrate-postgreSQLDB-Peertube-in-jail/
9 ## Read and apply the dependencies instructions.
11 Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.
13 ## Go to the production page
15 The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.
17 Most of the instruction MUST be done before we continue with specific instructions:
19 - create the peertube user
22 :warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).
25 set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest PeerTube version is $VERSION"
27 Then we use the command to download and extract PeerTube as visible in the production page.
29 ## PeerTube configuration
31 Nothing change in this part, please read the documentation.
35 :warning: this is the most different part.
37 The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:
40 # mkdir /usr/local/etc/nginx/sites_{available,enabled}
42 Then we copy the sample nginx configuration file exactly as explained in the official documentation.
44 ### The certificate problem
46 We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
48 Please read the `dehydraded` documentation in order to generate your PeerTube instance certificate.
50 :information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.
54 We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..
56 :information_source: remember to replace `example.com` by your own FQDN.
58 :information_source: remember to replace `w.x.y.z` by your jail IP address.
63 # First, as for all webserver, we listen to 80 port
66 # give our server_name
67 server_name peertube.example.com;
69 # create some logfiles
70 access_log /var/log/nginx/peertube_access.log;
71 error_log /var/log/nginx/peertube_error.log;
73 # redirect permantly to https
74 rewrite ^ https://$server_name/$request_uri permanent;
82 # The server-name again
83 server_name peertube.example.com;
85 # We use the same log files as below
86 access_log /var/log/nginx/peertube_access.log;
87 error_log /var/log/nginx/peertube_error.log;
89 # We activate the ssl engine and give it the path to the fullchain certificate
92 ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
93 ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
95 # The root location (/) will be redirect
96 # We add some header and VERY IMPORTANT, the client_max_body_size
97 # set to 4G (the maximum size PeerTube video)
99 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
100 proxy_pass http://w.x.y.z/;
101 proxy_set_header Host $host;
102 proxy_set_header X-Real-IP $remote_addr;
103 client_max_body_size 4G;
107 We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
110 # We also let the host to deal with the websocket
111 # and transfer it to the jail on port 9000 (the peertube port)
113 location /tracker/socket {
114 # Peers send a message to the tracker every 15 minutes
115 # Don't close the websocket before this time
116 proxy_read_timeout 1200s;
117 proxy_set_header Upgrade $http_upgrade;
118 proxy_set_header Connection "upgrade";
119 proxy_http_version 1.1;
120 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
121 proxy_set_header Host $host;
122 proxy_pass http://w.x.y.z:9000;
128 Save the file, make the link to have it in `sites_enabled` folder:
131 # ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
134 Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
138 nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
139 nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
142 If it's you can reload nginx configuration:
148 ## BACK TO THE JAIL ##
151 On the jails we are going to make a lot of changes in the nginx configuration.
153 - remove all the ssl configuration (line 16 to 34):
157 listen 443 ssl http2;
158 listen [::]:443 ssl http2;
159 server_name peertube.example.com;
161 # For example with certbot (you need a certificate to run https)
162 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
163 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
165 # Security hardening (as of 11/02/2018)
166 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
167 ssl_prefer_server_ciphers on;
168 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
169 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
170 ssl_session_timeout 10m;
171 ssl_session_cache shared:SSL:10m;
172 ssl_session_tickets off; # Requires nginx >= 1.5.9
173 ssl_stapling on; # Requires nginx >= 1.3.7
174 ssl_stapling_verify on; # Requires nginx => 1.3.7
177 - remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
181 location /tracker/socket {
182 # Peers send a message to the tracker every 15 minutes
183 # Don't close the websocket before this time
184 proxy_read_timeout 1200s;
185 proxy_set_header Upgrade $http_upgrade;
186 proxy_set_header Connection "upgrade";
187 proxy_http_version 1.1;
188 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
189 proxy_set_header Host $host;
190 proxy_pass http://localhost:9000;
194 Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
199 server_name peertube.example.com;
201 access_log /var/log/nginx/peertube.access.log;
202 error_log /var/log/nginx/peertube.error.log;
204 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
205 add_header X-Content-Type-Options nosniff;
206 add_header X-XSS-Protection "1; mode=block";
207 add_header X-Robots-Tag none;
209 location ^~ '/.well-known/acme-challenge' {
210 default_type "text/plain";
211 root /var/www/certbot;
214 location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
215 add_header Cache-Control "public, max-age=31536000, immutable";
217 alias /var/www/peertube/peertube-latest/client/dist/$1;
220 location ~ ^/static/(thumbnails|avatars)/(.*)$ {
221 add_header Cache-Control "public, max-age=31536000, immutable";
223 alias /var/www/peertube/storage/$1/$2;
227 proxy_pass http://localhost:9000;
228 proxy_set_header X-Real-IP $remote_addr;
229 proxy_set_header Host $host;
230 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
232 # Hard limit, PeerTube does not support videos > 4GB
233 client_max_body_size 4G;
234 proxy_connect_timeout 600;
235 proxy_send_timeout 600;
236 proxy_read_timeout 600;
240 # Bypass PeerTube webseed route for better performances
241 location /static/webseed {
242 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
245 if ($request_method = 'OPTIONS') {
246 add_header 'Access-Control-Allow-Origin' '*';
247 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
248 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
249 add_header 'Access-Control-Max-Age' 1728000;
250 add_header 'Content-Type' 'text/plain charset=UTF-8';
251 add_header 'Content-Length' 0;
255 if ($request_method = 'GET') {
256 add_header 'Access-Control-Allow-Origin' '*';
257 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
258 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
260 # Don't spam access log file with byte range requests
264 alias /var/www/peertube/storage/videos;
269 ## Moved in host nginx config
275 Be sure to save and keep your configuration files, a PeerTube update could crush them.
278 Thanks to Chocobozzz who created PeerTube, to Framasoft for being part of PeerTube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
280 If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)