Updated Installing Peertube in a FreeBSD Jail (markdown)

[oweals/peertube.wiki.git] / Installing-Peertube-in-a-FreeBSD-Jail.md

# A complementary information

:information_source: we're going to start with a working jail, with network up and access to pkg archive.


:information_source: if you have a poudriere, __DON'T USE IT__. It's better to use pre-compiled package in this case.

## Read and apply the dependencies instructions.

Please read and apply the instructions provided in [dependencies](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md) page.

## Go to the production page

The main instructions are available in the [production](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md) page.

Most of the instruction MUST be done before we continue with specific instructions:

- create the peertube user
- create the database

:warning: the command for knowing the latest available version works with `bash`, but not with `csh`, which is the default `root` shell on FreeBSD. We have to use a different method (changes are very small).

```
set VERSION=`curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag\_name | cut -d '"' -f 4` && echo "Latest Peertube version is $VERSION"
```
Then we use the command to download and extract Peertube as visible in the production page.

## Peertube configuration

Nothing change in this part, please read the documentation.

## Webserver

:warning: this is the most different part.

The `/usr/local/etc/nginx/sites_available` and `/usr/local/etc/nginx/sites_enabled` does not exist by default, we have to create them:

```
# mkdir /usr/local/etc/nginx/sites_{available,enabled}
```
Then we copy the sample nginx configuration file exactly as explained in the official documentation.

### The certificate problem

We are going to suppose that you want to host several web services, each of them in a jail. It will be very difficult to maintain the *let's encrypt* certificates for each of those jail. We let the main host to deal with the certificate for ALL the jails.

Please read the `dehydraded` documentation in order to generate your Peertube instance certificate.

:information_source: I used to use certbot. My configuration is a little bit different from the dehydraded one.

## ON THE HOST ###

We need to create a nginx configuration. I named it `peertube-jail.conf` and put it in the `sites_available` folder..

:information_source: remember to replace `example.com` by your own FQDN.

:information_source: remember to replace `w.x.y.z` by your jail IP address.

```
server {

    # First, as for all webserver, we listen to 80 port
    listen 80;

    # give our server_name
    server_name peertube.example.com;

    # create some logfiles
    access_log /var/log/nginx/peertube_access.log;
    error_log /var/log/nginx/peertube_error.log;

    # redirect permantly to https
    rewrite ^ https://$server_name/$request_uri permanent;
}

server{

    # The https part
    listen 443 ssl http2;

    # The server-name again
    server_name peertube.example.com;

    # We use the same log files as below
    access_log /var/log/nginx/peertube_access.log;
    error_log /var/log/nginx/peertube_error.log;

    # We activate the ssl engine and give it the path to the fullchain certificate
    # and the private key
    ssl on;
    ssl_certificate /usr/local/etc/letsencrypt/live/peertube.example.com/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/peertube.example.com/privkey.pem;

    # The root location (/) will be redirect
    # We add some header and VERY IMPORTANT, the client_max_body_size
    # set to 4G (the maximum size peertube video)
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://w.x.y.z/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        client_max_body_size 4G;
    }
```

We move a part of the jail FROM nginx configuration file TO the host configuration file (line 106 to 117):

```
    # We also let the host to deal with the websocket
    # and transfer it to the jail on port 9000 (the peertube port)

    location /tracker/socket {
        # Peers send a message to the tracker every 15 minutes
        # Don't close the websocket before this time
        proxy_read_timeout 1200s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://w.x.y.z:9000;
    }

}
```

Save the file, make the link to have it in `sites_enabled` folder:

```
# ln -s /usr/local/etc/nginx/sites_available/peertube-jail.conf /usr/local/etc/nginx/sites_enabled
```

Check the nginx configuration (nginx do a check when restarting. but I prefer do it before)

```
# nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
```

If it's you can reload nginx configuration:

```
# nginx -s reload
```

## BACK TO THE JAIL ##


On the jails we are going to make a lot of changes in the nginx configuration.

- remove all the ssl configuration (line 16 to 34):

```
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name peertube.example.com;

  # For example with certbot (you need a certificate to run https)
  ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;

  # Security hardening (as of 11/02/2018)
  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
```

- remove the websocket block too (line 106 to 117). Remember, we already moved this part in the host nginx configuration file.

```
  # Websocket tracker
  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before this time
    proxy_read_timeout 1200s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://localhost:9000;
  }
```

Our nginx configuration file is now a little bit smaller and will only listen on port 80. Here is mine:

```
server {
  listen 80;
  server_name peertube.example.com;

  access_log /var/log/nginx/peertube.access.log;
  error_log /var/log/nginx/peertube.error.log;

  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;

  location ^~ '/.well-known/acme-challenge' {
   default_type "text/plain";
   root /var/www/certbot;
  }

  location ~ ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }

  location ~ ^/static/(thumbnails|avatars)/(.*)$ {
    add_header Cache-Control "public, max-age=31536000, immutable";

    alias /var/www/peertube/storage/$1/$2;
  }

  location / {
    proxy_pass http://localhost:9000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # Hard limit, PeerTube does not support videos > 4GB
    client_max_body_size 4G;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;
  }

  # Bypass PeerTube webseed route for better performances
  location /static/webseed {
    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
    limit_rate 800k;

    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }

    if ($request_method = 'GET') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      # Don't spam access log file with byte range requests
      access_log off;
    }

    alias /var/www/peertube/storage/videos;
  }

  # Websocket tracker

  ## Moved in host nginx config
}
```

## Last words

Be sure to save and keep your configuration files, a Peertube update could crush them.

## Thanks
Thanks to Chocobozzz who created Peertube, to Framasoft for being part of Peertube popularity, to friends who help me to understand some tricky with jail network and to reread actors.

If you find useful this documentation, please make a donation to [Framasoft](https://soutenir.framasoft.org/en//?f=nav)