Installing Peer Tube Behind a Reverse Proxy

Finally, I got my #infosec #blog up and running again. It has been so long since I accidentally took it down by messing up the A records but that’s a story for another post. I wanted to write up tips and tricks of things that I ran into while attempting to install my own #peertube #instance that was not explained well in the documentation available on the main website.

To be clear, this isn’t any sort of knocking the people who make it, it’s just not mentioned and I don’t know if that’s because for people used to this stuff it’s common knowledge or it just hasn’t been updated. Here we go!

Before we begin, a few points about what I’m going to talk about. This is not going to be a full installation tutorial but a supplement to to go along with the official documentation . This also assumes that the setup you are using is having one internet facing server that is directing traffic upstream to other machines on the network so that they are not exposed.

The server this is written for is Ubuntu 22.04 and I am using the Nginx that comes with the apt-get command. At the time of this writing, it’s Nginx 1.18.1.

Issue #1 – default NodeJS is not High Enough.

The first part of the tutorial provided by Peer Tube points you to the dependencies that you will need to initially install first. Do not just use the copy-paste they have to install the default. The deb files that are available are not the right version that it needs.

When I ran the sudo apt-get install nodejs, the server installed 12.x. You need at least 16.x to install minimum. When you go manually install nodeJS yourself so that you can run yard, DO NOT install the latest version 20.x. It is NOT compatible with Yarn when you get to the install process later. I installed the latest version to be up to date and the Yarn prompt in terminal stated that it was expecting between 16.x to 19.x. I had to re-do my key ring and install 19.x to work.

Issue #2 – Created Peer Tube user not the right CHMOD.

The dependencies portion of the installation will create the user and the group that you need but will not provide the correct chmod against the folder and one time when I was running it, didn’t give the folder to the group. It wants the folder to be drwxr-xr-x. You will not only need to set that yourself, but I recommend chown the folder to the peertube user just to be safe. If you do not, it’ll throw errors later about not owning everything and will screw up your entire install (which happened to me the first time around).

Run the command:

sudo chmod 755 /var/www/peertube sudo chown peertube:peertube /var/www/peertube

That was you can be absolutely sure nothing is going tot get messed up with the install. Proceed from that point with the rest of the install.

Issue #3 – Prepping the production.yaml correctly and for Reverse Proxy

When you get to the point that you are to edit the production.yaml file, there are a few steps you need to take to make sure it is ready for setup and the reverse proxy.

To understand what I have set up, we're going to assume we have two servers. One named 192.168.1.1 which is our internet facing machine and 192.168.1.2 which is the machine you are hosting the peertube instance on. You are going to want to have 192.168.1.1 to be able to send all the traffic to the other machine.

Setting up for reverse proxy

You are going to want to make sure the following is in the webserver portion of the yaml file.

webserver: https: true hostname: 'yourpeertube.instance” port: 443

Though with many programs that you can run behind a reverse proxy, the upstream machine doesn't have to be on 443 as the SSL and security work is being handled on the machine taking the traffic. in the case of peertube, you must hand the traffic from 443 to 443 and have the https set to true even though you do not have any certificates on the upstream location.

If you do not do this, you will get streaming errors with your HLS.js in the peertube log. They will look like:

HLS.js error: networkError - fatal: true - manifestLoadError

The other symptom is that your video will play in the browser you uploaded to it but not with any other machine or browser.

In the trust proxy: section, you want to add the line - '192.168.1.1' right under - 'loopback. *pay attention to formatting as yaml needs the proper indentation.

The last part is go to database: and make sure the correct password for your database you setup earlier is actually there. The last three attempts to install per the instructions did not properly put the password there. You can enter it manually.

Issue #4 – Proper Reverse Proxy with Nginx

This really isn't an issue but more to save you time figure out what needs to be proxy_pass to the upstream machine.

Upstream Machine

On the machine hosting, strip out all the SSL certificate markers and everything but leave it listening to 443. (This includes the ssl and http2 after the port listening entry.)

It should look something like this:

server {

listen 443;

listen [::]:443;

server_name yourpeertube.instance ;

... THE REST OF THE CONFIGURATION.

Do not worry about the ssl part. As a reminder, it's going to be handled by the internet facing machine. We are presently setting up the hosting machine.

Setting up Internet Facing Machine

This is a full example of the reverse proxy that has helped my server function. Please make sure to add your information here where it says yourpeertube.instance.

server {

if ($host = yourpeertube.instance) {

return 301 https://$host$request_uri;

}

listen 80; listen [::]:80;

server_name yourpeertube.instance;

return 404; }

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name yourpeertube.instance;

add_header Access-Control-Allow-Origins “*” always;

add_header Access-Control-Allow-Methods “*” always;

ssl_certificate /etc/letsencrypt/live/yourpeertube.instance/fullchain.pem;

sslcertificatekey /etc/letsencrypt/live/yourpeertube.instance/privkey.pem;

location ^~/ {

proxysetheader X-Forwarded-For $proxyaddxforwardedfor;

proxysetheader Host $host;

proxysetheader X-Real-IP $remote_addr;

proxy_pass http: // 192.168.4.2:443; #Make sure to change this to your actual internal IP;

clientmaxbody_size 0; } }

Ending

There you have it. After I got this all setup, I was able to communicate with my server, upload videos and the #fediverse portion worked to perfection. If you have any questions, you can reach out to me at my social media

— Jonathan S.