From babab28592f69a49923f64767adf82e46e241963 Mon Sep 17 00:00:00 2001 From: Florent Date: Thu, 15 Dec 2022 11:11:11 +0100 Subject: [PATCH] Update nginx and configuration --- conf/nginx.conf | 21 +++++++++++++++++++-- conf/production.yaml | 40 ++++++++++++++++++++++++++++++++++------ scripts/install | 2 ++ scripts/upgrade | 12 ++++++++++++ 4 files changed, 67 insertions(+), 8 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 6581403..f8345c1 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -78,6 +78,11 @@ location /tracker/socket { try_files /dev/null @api_websocket; } +# Plugin websocket routes +location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ { + try_files /dev/null @api_websocket; +} + ## # Performance optimizations # For extra performance please refer to https://github.com/denji/nginx-tuning @@ -154,6 +159,18 @@ location ~ ^/static/(thumbnails|avatars)/ { try_files $uri @api; } +location ~ ^(/static/(webseed|streaming-playlists)/private/)|^/download { + # We can't rate limit a try_files directive, so we need to duplicate @api + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_limit_rate 5M; + + proxy_pass http://127.0.0.1:__PORT__; +} + # Bypass PeerTube for performance reasons. Optional. location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { limit_rate_after 5M; @@ -167,9 +184,9 @@ location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { } # Use this line with nginx >= 1.17.0 - # limit_rate $peertube_limit_rate; + limit_rate $peertube_limit_rate; # Or this line if your nginx < 1.17.0 - set $limit_rate $peertube_limit_rate; + # set $limit_rate $peertube_limit_rate; if ($request_method = 'OPTIONS') { more_set_headers "Access-Control-Allow-Origin : *"; diff --git a/conf/production.yaml b/conf/production.yaml index 41614b7..28731b5 100644 --- a/conf/production.yaml +++ b/conf/production.yaml @@ -8,6 +8,12 @@ webserver: hostname: '__DOMAIN__' port: 443 +# Secrets you need to generate the first time you run PeerTube +secrets: + # Generate one using `openssl rand -hex 32` + peertube: '__SECRETS_PEERTUBE__' + + rates_limit: api: # 50 attempts in 10 seconds @@ -120,6 +126,7 @@ storage: captions: '__DATADIR__/captions/' cache: '__DATADIR__/cache/' plugins: '__DATADIR__/plugins/' + well_known: '__DATADIR__/well-known/' # Overridable client files in client/dist/assets/images: # - logo.svg # - favicon.png @@ -132,6 +139,10 @@ storage: # If not, peertube will fallback to the default file client_overrides: '__DATADIR__/client-overrides/' +static_files: + # Require and check user authentication when accessing private files (internal/private video files) + private_files_require_auth: true + object_storage: enabled: false @@ -140,8 +151,19 @@ object_storage: region: 'us-east-1' - # Set this ACL on each uploaded object - upload_acl: 'public-read' + upload_acl: + # Set this ACL on each uploaded object of public/unlisted videos + public: 'public-read' + # Set this ACL on each uploaded object of private/internal videos + # PeerTube can proxify requests to private objects so your users can access them + private: 'private' + + proxy: + # If private files (private/internal video files) have a private ACL, users can't access directly the ressource + # PeerTube can proxify requests between your object storage service and your users + # If you disable PeerTube proxy, ensure you use your own proxy that is able to access the private files + # Or you can also set a public ACL for private files in object storage if you don't want to use a proxy + proxify_private_files: true credentials: # You can also use AWS_ACCESS_KEY_ID env variable @@ -186,13 +208,15 @@ log: # Accept warn/error logs coming from the client accept_client_log: true -# Highly experimental support of Open Telemetry +# Support of Open Telemetry metrics and tracing +# For more information: https://docs.joinpeertube.org/maintain-observability open_telemetry: metrics: enabled: false # Create a prometheus exporter server on this port so prometheus server can scrape PeerTube metrics prometheus_exporter: + hostname: '127.0.0.1' port: 9091 tracing: @@ -567,6 +591,9 @@ import: # Number of latest published videos to check and to potentially import when syncing a channel videos_limit_per_synchronization: 10 + # Max number of videos to import when the user asks for full sync + full_sync_videos_limit: 1000 + auto_blacklist: # New videos automatically blacklisted so moderators can review before publishing videos: @@ -648,7 +675,8 @@ instance: robots: | User-agent: * Disallow: - # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string + # /.well-known/security.txt rules. This endpoint is cached, so you may have to wait a few hours before viewing your changes + # To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string securitytxt: '# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:' @@ -713,9 +741,9 @@ search: # You should deploy your own with https://framagit.org/framasoft/peertube/search-index, # and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index url: '' - # You can disable local search, so users only use the search index + # You can disable local search in the client, so users only use the search index disable_local_search: false - # If you did not disable local search, you can decide to use the search index by default + # If you did not disable local search in the client, you can decide to use the search index by default is_default_search: false # PeerTube client/interface configuration diff --git a/scripts/install b/scripts/install index 91ffa96..cd467f7 100644 --- a/scripts/install +++ b/scripts/install @@ -35,6 +35,7 @@ app=$YNH_APP_INSTANCE_NAME admin_mail=$(ynh_user_get_info --username=$admin --key="mail") admin_pass=$(ynh_string_random --length=24) +secrets_peertube=$(openssl rand -hex 32) # Define app's data directory datadir="/home/yunohost.app/${app}/storage" @@ -57,6 +58,7 @@ ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=admin --value=$admin +ynh_app_setting_set --app=$app --key=secrets_peertube --value=$secrets_peertube #================================================= # STANDARD MODIFICATIONS diff --git a/scripts/upgrade b/scripts/upgrade index e1bf407..b88f566 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -30,6 +30,7 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) datadir=$(ynh_app_setting_get --app=$app --key=datadir) admin_mail=$(ynh_user_get_info --username=$admin --key="mail") redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) +secrets_peertube=$(ynh_app_setting_get --app=$app --key=secrets_peertube) #================================================= # CHECK VERSION @@ -205,6 +206,16 @@ chmod 750 "$datadir" chmod -R o-rwx "$datadir" chown -R $app:www-data "$datadir" +#================================================= +# Generate secrets if they don't exist +#================================================= + +if [ -z "$secrets_peertube" ]; then + ynh_script_progression --message="Generating and storing PeerTube secrets..." + secrets_peertube=$(openssl rand -hex 32) + ynh_app_setting_set --app=$app --key=secrets_peertube --value=$secrets_peertube +fi + #================================================= # BUILD YARN DEPENDENCIES #================================================= @@ -285,6 +296,7 @@ if ynh_compare_current_package_version --comparison lt --version 4.2.0~ynh1; the popd fi + #================================================= # STOP SYSTEMD SERVICE #=================================================