-
-
Save zapashcanon/c5221994922906282b2a5dcc9ad3f9f6 to your computer and use it in GitHub Desktop.
An opinionated httpd/Apache vhost to run PeerTube, following Mozilla's modern security practices as of https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.28&openssl=1.0.1e&hsts=yes&profile=modern | don't forget to enable WebSockets with `a2enmod proxy_wstunnel`
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # It's generally not a good idea to broadcast the version of Apache you run | |
| ServerSignature Off | |
| ServerTokens Prod | |
| # Security configuration | |
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
| SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| SSLHonorCipherOrder on | |
| # Requires Apache >= 2.4 | |
| SSLCompression off | |
| # To use stapling, we have to enable it globally | |
| SSLStaplingCache "shmcb:logs/stapling-cache(150000)" | |
| # OCSP Stapling requires Apache >= 2.3.3 | |
| SSLUseStapling on | |
| SSLStaplingResponderTimeout 5 | |
| SSLStaplingReturnResponderErrors off | |
| SSLSessionTickets off # Requires Apache >= 2.4.11 | |
| <VirtualHost *:80 [::]:80> | |
| ServerName peertube.example.com | |
| ServerAdmin [email protected] | |
| Protocols h2c http/1.1 | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ | |
| RewriteCond %{HTTPS} off | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| Alias /.well-known/acme-challenge/ /var/www/certbot/ | |
| <Directory /var/www/certbot> | |
| Options None | |
| AllowOverride None | |
| ForceType text/plain | |
| RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" | |
| Require method GET POST OPTIONS | |
| </Directory> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> | |
| <VirtualHost *:443 [::]:443> | |
| ServerName peertube.example.com | |
| ServerAdmin [email protected] | |
| Protocols h2 http/1.1 | |
| SSLEngine on | |
| # For example with certbot (you need a certificate to run https) | |
| SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem | |
| # HSTS (mod_headers is required) (63072000 seconds = 2 years) (only activate it knowingly) | |
| #Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| # Hard limit, PeerTube does not support videos > 4GB | |
| LimitRequestBody 4294967294 | |
| # Set caching on assets for 1 year | |
| <FilesMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$> | |
| Header append Cache-Control "public, max-age=31536000, immutable" | |
| </FilesMatch> | |
| AliasMatch ^/client/(.*\.(js|css|woff2|otf|ttf|woff|eot))$ /var/www/peertube/peertube-latest/client/dist/$1 | |
| # Set caching on image files for 1 year | |
| <FilesMatch ^/static/(thumbnails|avatars)/(.*)$> | |
| Header append Cache-Control "public, max-age=31536000, immutable" | |
| </FilesMatch> | |
| AliasMatch ^/static/(thumbnails|avatars)/(.*)$ /var/www/peertube/storage/$1/$2 | |
| # Bypass PeerTube webseed route for better performances | |
| Alias /static/webseed /var/www/peertube/storage/videos | |
| <Location /static/webseed> | |
| # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client | |
| SetOutputFilter RATE_LIMIT | |
| SetEnv rate-limit 800 | |
| SetEnvIf Request_Method "GET" GETMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=GETMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=GETMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=GETMETH | |
| Header set toto "foo" env=GETMETH | |
| SetEnvIf GETMETH "1" dontlog | |
| SetEnvIf Request_Method "OPTIONS" OPTIONSMETH=1 | |
| Header set Access-Control-Allow-Origin "*" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" env=OPTIONSMETH | |
| Header set Access-Control-Allow-Methods "GET, OPTIONS" env=OPTIONSMETH | |
| Header set Access-Control-Max-Age "1000" env=OPTIONSMETH | |
| Header set Content-Type "text/plain charset=UTF-8" env=OPTIONSMETH | |
| Header set Content-Length "0" env=OPTIONSMETH | |
| </Location> | |
| <Location /videos/embed> | |
| Header unset X-Frame-Options | |
| </Location> | |
| ProxyPreserveHost On | |
| ProxyRequests On | |
| ProxyTimeout 600 | |
| # Websocket tracker | |
| RewriteEngine On | |
| RewriteCond %{HTTP:Upgrade} websocket [NC] | |
| RewriteRule /(.*) ws://127.0.0.1:9000/$1 [P,L] | |
| <Location /> | |
| ProxyPass http://127.0.0.1:9000/ | |
| </Location> | |
| ErrorLog "/var/log/httpd/peertube.example.com.error.log" | |
| CustomLog "/var/log/httpd/peertube.example.com.access.log" common env=!dontlog | |
| </VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment