I have a separate nginx reverse proxy server within my network that terminates all ssl for my home servers. The default peertube nginx config assumes you will be issuing the peertube host server a cert and terminating ssl there. How should my host nginx conf look so that it just passes http to my reverse proxy? For context, this is the default config that I need to modify.
You should be able to simply point to port 9000 from your reverse proxy and not having to use nginx on your PeerTube server.
However, uncommenting like this, should also work:
#server {
# listen 80;
# listen [::]:80;
# server_name example.com;
# location /.well-known/acme-challenge/ {
# default_type "text/plain";
# root /var/www/certbot;
# }
# location / { return 301 https://$host$request_uri; }
#}
upstream backend {
server 127.0.0.1:9000;
}
server {
listen 443;
listen [::]:443;
server_name example.com;
access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
error_log /var/log/nginx/peertube.error.log;
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
#ssl_certificate /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:>
# ssl_session_timeout 1d; # defaults to 5m
# ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
Also remove « http2 » and « ssl » at the listening port 443.
This worked! Thanks. I have another question involving email validation but I’ll create a new thread since it’s a different subject. Thanks again.
Be aware that by doing so, Peertube will also have to serve static files. This can be a performance issue if you are under heavy load. (See here)
You will also have missing customisations on upload endpoint (see here), and maybe other things that are not well suited for a production server (here for example).
I was under the impression that by keeping the default conf but just commenting out the ssl related portions that the optimizations would still be in place. Is this not true? This is why I did not choose to just pass port 9000 to my proxy and skip nginx on the host server altogether.
Indeed, that should work. But I thought you did like @anon43172203 said (point to port 9000).
Otherwise, there is maybe a simplier solution, using «proxy» mode. But I don’t know very well nginx, and I don’t know the exact syntax.