rt81-2019
Goto Top

Peertube hinter Apache Reverseproxy

Hallo ich habe hier einen Server (Ubuntu) auf den laufen meine VMS.
Der Server nennen wir ihn S01 fungiert als Reverseproxy und VM Host.

Peertube liegt auf einer VM mit einer privaten IP.
Peertube kommt von Haus aus mit einen Nginx Reverseproxy.

S01 hat in der Hosts einen Loop auf die öffentliche Domain von Peertube, damit die Weiterleitung auf die Domain klappt.

Ich stehe gerade vor dem Problem das die Views nicht korrekt angezeigt werden, da Peertube immer nur von der S01 IP angesprochen wird, die Öffentlichen IPs werden nicht weiter gegeben an Peertube.

Hier mal die Apache Vhost von S01

<IfModule mod_ssl.c>
<VirtualHost *:443>
Protocols h2 http/1.1
     ServerName meta-tube.de
       ErrorLog ${APACHE_LOG_DIR}/error-meta.log
        CustomLog ${APACHE_LOG_DIR}/access-meta.log combined
     <Location />
         ProxyPass  https://meta-tube.de/
         ProxyPassReverse   https://meta-tube.de/
RequestHeader set X-Forwarded-Port "443"  
RequestHeader set X-Forwarded-Proto "https"  

     </Location>

RemoteIPHeader X-Forwarded-For
  RemoteIPInternalProxy 127.0.0.1
  LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" proxy  
  CustomLog /var/log/apache2/example.org-access_log proxy


SSLProxyEngine On
SSLProxyVerify none
               SSLProxyCheckPeerCN off
               SSLProxyCheckPeerName off
               SSLProxyCheckPeerExpire off
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias meta-tube.de
SSLCertificateFile /etc/letsencrypt/live/meta-tube.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/meta-tube.de/privkey.pem
</VirtualHost>
</IfModule>

und hier die Nginx conf von Peertube

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name meta-tube.de;

  # For example with certbot (you need a certificate to run https)
  #ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
  #ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;

  # Security hardening (as of 11/02/2018)
  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  # Remove ECDHE-RSA-AES256-SHA if you don't want compatibility with Android 4 
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-S$  
  # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7

  # Configure with your resolvers
  # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
  # resolver_timeout 5s;

  # Enable compression for JS/CSS/HTML bundle, for improved client load times.
  # It might be nice to compress JSON, but leaving that out to protect against potential
  # compression+encryption information leak attacks like BREACH.
  gzip on;
  gzip_types text/css application/javascript;
  gzip_vary on;
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
  # See https:{{comment_single_line_double_slash:0}}
  # client_body_temp_path /var/www/peertube/storage/nginx/;

  # Enable HSTS
  # Tells browsers to stick with HTTPS and never visit the insecure HTTP
  # version. Once a browser sees this header, it will only visit the site over
  # HTTPS for the next 2 years: (read more on hstspreload.org)
  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; 

  access_log /var/log/nginx/peertube.example.com.access.log;
  error_log /var/log/nginx/peertube.example.com.error.log;

  location ^~ '/.well-known/acme-challenge' {  
    default_type "text/plain";  
    root /var/www/certbot;
  }

  # Bypass PeerTube for performance reasons. Could be removed
  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
    add_header Cache-Control "public, max-age=31536000, immutable";  

    alias /var/www/peertube/peertube-latest/client/dist/$1;
  }
# Bypass PeerTube for performance reasons. Could be removed
  location ~ ^/static/(thumbnails|avatars)/ {
    if ($request_method = 'OPTIONS') {  
      add_header 'Access-Control-Allow-Origin' '*';  
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';  
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';  
      add_header 'Access-Control-Max-Age' 1728000;  
      add_header 'Content-Type' 'text/plain charset=UTF-8';  
      add_header 'Content-Length' 0;  
      return 204;
    }

    add_header 'Access-Control-Allow-Origin' '*';  
    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';  
    add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';  

    # Cache 2 hours
    add_header Cache-Control "public, max-age=7200";  

    root /var/www/peertube/storage;

    rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
    try_files $uri /;
  }
 location / {
    proxy_pass http://127.0.0.1:9000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # This is the maximum upload size, which roughly matches the maximum size of a video file
    # you can send via the API or the web interface. By default this is 8GB, but administrators
    # can increase or decrease the limit. Currently there's no way to communicate this limit 
    # to users automatically, so you may want to leave a note in your instance 'about' page if 
    # you change this.
    #
    # Note that temporary space is needed equal to the total size of all concurrent uploads.
    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
    # on a dedicated filesystem.
    #
    client_max_body_size 8G;

    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;
  }

# Bypass PeerTube for performance reasons. Could be removed
  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
    set $peertube_limit_rate 800k;

    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections  
    if ($request_uri ~ -fragmented.mp4$) {
      set $peertube_limit_rate 5000k;
    }

    # Use this with nginx >= 1.17.0
    # limit_rate $peertube_limit_rate;
    # Or this if your nginx < 1.17.0
    set $limit_rate $peertube_limit_rate;
    limit_rate_after 5000k;

    if ($request_method = 'OPTIONS') {  
      add_header 'Access-Control-Allow-Origin' '*';  
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';  
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';  
      add_header 'Access-Control-Max-Age' 1728000;  
      add_header 'Content-Type' 'text/plain charset=UTF-8';  
      add_header 'Content-Length' 0;  
      return 204;
    }
  if ($request_method = 'GET') {  
      add_header 'Access-Control-Allow-Origin' '*';  
      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';  
      add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';  

      # Don't spam access log file with byte range requests  
      access_log off;
    }

    root /var/www/peertube/storage;

    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
    rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
    rewrite ^/static/streaming-playlists/(.*)$ /streaming-playlists/$1 break;

    try_files $uri /;
  }

# Websocket tracker
  location /tracker/socket {
    # Peers send a message to the tracker every 15 minutes
    # Don't close the websocket before this time  
    proxy_read_timeout 1200s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";  
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:9000;
  }

  location /socket.io {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;

    proxy_pass http://127.0.0.1:9000;

    # enable WebSockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";  
  }

    ssl_certificate /etc/letsencrypt/live/meta-tube.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/meta-tube.de/privkey.pem; # managed by Certbot
}

und hier der erste teil aus der production.yaml von peertube

listen:
  hostname: 'localhost'  
  port: 9000

# Correspond to your reverse proxy server_name/listen configuration
webserver:
  https: true
  hostname: 'meta-tube.de'  
  port: 443

Content-ID: 568423

Url: https://administrator.de/contentid/568423

Ausgedruckt am: 22.11.2024 um 15:11 Uhr

Dani
Dani 29.04.2020 um 18:35:56 Uhr
Goto Top
Moin,
versuch es damit - Klick.


Gruß,
Dani
RT81-2019
RT81-2019 29.04.2020 um 18:51:32 Uhr
Goto Top
Das würde nur gehen wenn das Peertube auch auf den S01 liegen würde liegt aber auf einer VM also eigener Server.
Dani
Dani 29.04.2020 um 18:58:00 Uhr
Goto Top
Moin,
ich habe nichts davon gesagt, dass du die Konfiguration 1:1 übernehmen sollst. Es soll "nur" als Vorlage dienen mit entsprechenden Anpassungen für deine Umgebung. Wenn du entsprechend die Anpassungen vornimmst, sehe ich da keine Probleme.


Gruß,
Dani
RT81-2019
RT81-2019 29.04.2020 um 19:54:21 Uhr
Goto Top
Hmm habe angepasst was geht, er hat immer nur die ip vom reverse proxy raus und spricht damit den peertube server an.
Dani
Dani 29.04.2020 um 20:08:33 Uhr
Goto Top
Moin,
liegt wohl am Logikfehler, den du konfiguriert hast:
     ServerName meta-tube.de
       ErrorLog ${APACHE_LOG_DIR}/error-meta.log
        CustomLog ${APACHE_LOG_DIR}/access-meta.log combined
     <Location />
         ProxyPass  https://meta-tube.de/
         ProxyPassReverse   https://meta-tube.de/
ServerName und ProxyPass darf natürlich nicht der selben Namen sein.


Gruß,
Dani