SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)" SSLSessionCacheTimeout 87400 SSLStaplingCache shmcb:logs/stapling-cache(150000) # Minimum Apache version required: 2.4.32 (released March 14th, 2018) # Please check your Apache installation features the following modules via 'apachectl -M': # STANDARD HTTP MODULES: core_module, proxy_module, proxy_http2_module, proxy_wstunnel_module, proxy_http_module, headers_module, remoteip_module, ssl_module, filter_module, reqtimeout_module # THIRD PARTY MODULES: None. # check https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 for hardening security SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)" SSLSessionCacheTimeout 87400 SSLStaplingCache shmcb:logs/stapling-cache(150000) ProxyRequests off # Disable proxy buffer cache SetEnv proxy-nokeepalive 1 SetEnv proxy-initial-not-pooled 1 Protocols h2c http/1.1 ServerName peertube.example.com ServerAdmin webmaster@example.com ErrorLog "/var/log/httpd/[peertube.example.com].error.log" CustomLog "/var/log/httpd/[peertube.example.com].access.log" common env=!dontlog RewriteEngine on RewriteOptions inherit RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] Alias /.well-known/acme-challenge/ /var/www/certbot/ Options None AllowOverride None ForceType text/plain RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" Require method GET POST OPTIONS Protocols h2 h2c http/1.1 TLSv1.2 TLSv1.3 http/1.0 ProtocolsHonorOrder Off ServerName example.com ServerAlias peertube.example.com SetEnv increaseTimeout false RewriteEngine on RewriteOptions inherit CustomLog "/usr/local/apache/logs/peertube.access.log" common "env=!dontlog" ErrorLog "/usr/local/apache/logs/example.com.error.log" ## # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/letsencrypt/live/peertube.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/peertube.example.com/privkey.pem ## # Security hardening (as of Nov 15, 2020) # based on Mozilla Guideline v5.6 ## SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # SSLCipherSuite: add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLSessionTickets off SSLUseStapling on Header set Strict-Transport-Security "max-age=8740000; includeSubDomains; preload" Header set X-Content-Type-Options nosniff Header set X-Robots-Tag none Header set X-XSS-Protection "1; mode=block" RequestHeader set Host expr=%{HTTP_HOST} RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR} RequestHeader set X-Real-IP expr=%{REMOTE_ADDR} ## # Application ## LimitRequestBody 102400 ProxyReceiveBufferSize 0 KeepAliveTimeout 10 ProxyTimeout 900 ProxyIOBufferSize 1024 ProxyIOBufferSize 1024 ProxyReceiveBufferSize 8192 LimitRequestBody 0 Require all granted Require all denied = LimitRequestBody) Header set X-File-Maximum-Size 8G LimitRequestBody 12884901888; Header set X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) LimitRequestBody 6291456 # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= LimitRequestBody) Header set X-File-Maximum-Size 4M ## # Performance optimizations # Compression enabled automatically by filter_module DocumentRoot /var/www/peertube RequestReadTimeout body=30 header=10 Options +FollowSymLinks -SymLinksIfOwnerMatch Alias /client %{DOCUMENT_ROOT}/peertube-latest/client/dist # http/2 tuning H2Push on H2PushPriority * after H2PushPriority txt/css before H2PushPriority image/jpeg after 32 H2PushPriority image/png after 32 H2PushPriority application/javascript interleaved # Bypass PeerTube for performance reasons. Optional. # Should be consistent with client-overrides assets list in /server/controllers/client.ts # Cache 1 year Header set Cache-Control "public, max-age=31536000, immutable" RewriteRule ^/client/(.*)$ %{DOCUMENT_ROOT}/peertube-latest/client/dist/$1 [L] # Bypass PeerTube for performance reasons. Optional. Header set Cache-Control "public, max-age=31536000, immutable" # Bypass PeerTube for performance reasons. Optional. Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Credentials "true" Header set Access-Control-Allow-Headers "Retry-After" Header set Access-Control-Allow-Methods "GET, OPTIONS" Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" # Preflight request can be cached 20 days Header set Access-Control-Max-Age 1728000 Header set Content-Type "text/plain charset=UTF-8" Header set Content-Length 0 RedirectMatch 204 ^(.*)$ # Cache response 2 hours Header set Cache-Control "public, max-age=7200" RewriteRule ^/static/(.*)$ /$1 [L] # Bypass PeerTube for performance reasons. Optional. # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client SetOutputFilter RATE_LIMIT # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections SetEnv rate-limit 5120 SetEnv rate-limit-burst 6144 SetEnv rate-limit 832 SetEnv rate-limit-burst 1024 Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Credentials "true" Header set Access-Control-Allow-Headers "Retry-After" Header set Access-Control-Allow-Methods "GET, OPTIONS" Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" # Preflight request can be cached 20 days Header set Access-Control-Max-Age 1728000 Header set Content-Type "text/plain charset=UTF-8" Header set Content-Length 0 RedirectMatch 204 ^(.*)$ Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Credentials "true" Header set Access-Control-Allow-Headers "Retry-After" Header set Access-Control-Allow-Methods "GET, OPTIONS" Header set Access-Control-Allow-Headers "Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type" # Don't spam access log file with byte range requests SetEnvIf %{REQUEST_URI} "^(.*)$" dontlog # Enabling the sendfile directive eliminates the step of copying the data into the buffer # and enables direct copying data from one file descriptor to another. # To disable if the folder is on a network filesystem like NFS or other. EnableSendfile on Header set Cache-control "no-cache, no-store" RewriteRule ^/static/webseed/(.*)$ /videos/$1 [L] RewriteRule ^/static/(.*)$ /$1 [L] SetEnv rate-limit 5120 SetEnv rate-limit-burst 6144 Header unset X-Frame-Options # Websocket # Set Upgrade and Connection headers for WebSocket requests RequestHeader set Upgrade "websocket" RequestHeader set Connection "Upgrade" RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/(.*)$ ws://backend/$1 [P,L] # Normal HTTP requests ProxyPass "/" "http://backend/" flushpackets=on ProxyPassReverse "/" "http://backend/" flushpackets=on