1 # A complementary information
3 :information_source: we're going to start with a working jail, with network up and access to pkg archive.
6 :information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.
8 ## Read and apply the dependencies instructions.
10 Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.
12 ## Go to the production page
14 The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.
16 Most of the instruction MUST be done before we continue with specific instructions:
18 - create the peertube user
21 :warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).
24 set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest Peertube version is $VERSION"
26 Then we use the command to download and extract Peertube as visible in the production page.
28 ## Peertube configuration
30 Nothing change in this part, please read the documentation.
34 :warning: this is the most different part.
36 The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:
39 # mkdir /usr/local/etc/nginx/sites_{available,enabled}
41 Then we copy the sample nginx configuration file exactly as explained in the official documentation.
43 ### The certificate problem
45 We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.
47 Please read the `dehydraded` documentation in order to generate your Peertube instance certificate.
49 :information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.
53 We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..
55 :information_source: remember to replace `example.com` by your own FQDN.
57 :information_source: remember to replace `w.x.y.z` by your jail IP address.
62 # First, as for all webserver, we listen to 80 port
65 # give our server_name
66 server_name peertube.example.com;
68 # create some logfiles
69 access_log /var/log/nginx/peertube_access.log;
70 error_log /var/log/nginx/peertube_error.log;
72 # redirect permantly to https
73 rewrite ^ https://$server_name/$request_uri permanent;
81 # The server-name again
82 server_name peertube.example.com;
84 # We use the same log files as below
85 access_log /var/log/nginx/peertube_access.log;
86 error_log /var/log/nginx/peertube_error.log;
88 # We activate the ssl engine and give it the path to the fullchain certificate
91 ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
92 ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;
94 # The root location (/) will be redirect
95 # We add some header and VERY IMPORTANT, the client_max_body_size
96 # set to 4G (the maximum size peertube video)
98 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
99 proxy_pass http://w.x.y.z/;
100 proxy_set_header Host $host;
101 proxy_set_header X-Real-IP $remote_addr;
102 client_max_body_size 4G;
106 We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):
109 # We also let the host to deal with the websocket
110 # and transfer it to the jail on port 9000 (the peertube port)
112 location /tracker/socket {
113 # Peers send a message to the tracker every 15 minutes
114 # Don't close the websocket before this time
115 proxy_read_timeout 1200s;
116 proxy_set_header Upgrade $http_upgrade;
117 proxy_set_header Connection "upgrade";
118 proxy_http_version 1.1;
119 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
120 proxy_set_header Host $host;
121 proxy_pass http://w.x.y.z:9000;
127 Save the file, make the link to have it in `sites_enabled` folder:
130 # ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
133 Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)
137 nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
138 nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
141 If it's you can reload nginx configuration:
147 ## BACK TO THE JAIL ##
150 On the jails we are going to make a lot of changes in the nginx configuration.
152 - remove all the ssl configuration (line 16 to 34):
156 listen 443 ssl http2;
157 listen [::]:443 ssl http2;
158 server_name peertube.example.com;
160 # For example with certbot (you need a certificate to run https)
161 ssl_certificate /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
162 ssl_certificate_key /etc/letsencrypt/live/peertube.example.com/privkey.pem;
164 # Security hardening (as of 11/02/2018)
165 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
166 ssl_prefer_server_ciphers on;
167 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
168 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
169 ssl_session_timeout 10m;
170 ssl_session_cache shared:SSL:10m;
171 ssl_session_tickets off; # Requires nginx >= 1.5.9
172 ssl_stapling on; # Requires nginx >= 1.3.7
173 ssl_stapling_verify on; # Requires nginx => 1.3.7
176 - remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.
180 location /tracker/socket {
181 # Peers send a message to the tracker every 15 minutes
182 # Don't close the websocket before this time
183 proxy_read_timeout 1200s;
184 proxy_set_header Upgrade $http_upgrade;
185 proxy_set_header Connection "upgrade";
186 proxy_http_version 1.1;
187 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
188 proxy_set_header Host $host;
189 proxy_pass http://localhost:9000;
193 Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:
198 server_name peertube.example.com;
200 access_log /var/log/nginx/peertube.access.log;
201 error_log /var/log/nginx/peertube.error.log;
203 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
204 add_header X-Content-Type-Options nosniff;
205 add_header X-XSS-Protection "1; mode=block";
206 add_header X-Robots-Tag none;
208 location ^~ '/.well-known/acme-challenge' {
209 default_type "text/plain";
210 root /var/www/certbot;
213 location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
214 add_header Cache-Control "public, max-age=31536000, immutable";
216 alias /var/www/peertube/peertube-latest/client/dist/$1;
219 location ~ ^/static/(thumbnails|avatars)/(.*)$ {
220 add_header Cache-Control "public, max-age=31536000, immutable";
222 alias /var/www/peertube/storage/$1/$2;
226 proxy_pass http://localhost:9000;
227 proxy_set_header X-Real-IP $remote_addr;
228 proxy_set_header Host $host;
229 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
231 # Hard limit, PeerTube does not support videos > 4GB
232 client_max_body_size 4G;
233 proxy_connect_timeout 600;
234 proxy_send_timeout 600;
235 proxy_read_timeout 600;
239 # Bypass PeerTube webseed route for better performances
240 location /static/webseed {
241 # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
244 if ($request_method = 'OPTIONS') {
245 add_header 'Access-Control-Allow-Origin' '*';
246 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
247 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
248 add_header 'Access-Control-Max-Age' 1728000;
249 add_header 'Content-Type' 'text/plain charset=UTF-8';
250 add_header 'Content-Length' 0;
254 if ($request_method = 'GET') {
255 add_header 'Access-Control-Allow-Origin' '*';
256 add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
257 add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
259 # Don't spam access log file with byte range requests
263 alias /var/www/peertube/storage/videos;
268 ## Moved in host nginx config
274 Be sure to save and keep your configuration files, a Peertube update could crush them.
277 Thanks to Chocobozzz who created Peertube, to Framasoft for being part of Peertube popularity, to friends who help me to understand some tricky with jail network and to reread actors.
279 If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)