Finally, I got my #infosec #blog up and running again. It has been so long since I accidentally took it down by messing up the A records but that’s a story for another post. I wanted to write up tips and tricks of things that I ran into while attempting to install my own #peertube #instance that was not explained well in the documentation available on the main website.
To be clear, this isn’t any sort of knocking the people who make it, it’s just not mentioned and I don’t know if that’s because for people used to this stuff it’s common knowledge or it just hasn’t been updated. Here we go!
Before we begin, a few points about what I’m going to talk about. This is not going to be a full installation tutorial but a supplement to go along with the official documentation. This also assumes that the setup you are using is having one internet-facing server that is directing traffic upstream to other machines on the network so that they are not exposed.
The server this is written for is Ubuntu 22.04 and I am using the Nginx that comes with the apt-get command. At the time of this writing, it’s Nginx 1.18.1.
Issue #1 – Default NodeJS Version Is Not High Enough
The first part of the tutorial provided by PeerTube points you to the dependencies that you will need to initially install. Do not just use the copy-paste they have to install the default. The .deb files that are available are not the right version that it needs.
When I ran sudo apt-get install nodejs, the server installed version 12.x. You need at least 16.x to install. When you go manually install NodeJS yourself so that you can run Yarn, do not install the latest version 20.x. It is NOT compatible with Yarn when you get to the install process later. I installed the latest version to be up-to-date, and the Yarn prompt in terminal stated that it was expecting between 16.x to 19.x. I had to re-do my key ring and install 19.x to work.
Issue #2 – Created PeerTube User Not Set with Correct Permissions
The dependencies portion of the installation will create the user and group that you need but will not provide the correct permissions (chmod) on the folder. One time when I was running it, it didn’t give the folder to the group. It wants the folder to be drwxr-xr-x. You will not only need to set that yourself, but I recommend chown-ing the folder to the peertube user just to be safe. If you do not, it’ll throw errors later about not owning everything and could mess up your entire install (which happened to me the first time around).
Run the command:
sudo chmod 755 /var/www/peertube
sudo chown peertube:peertube /var/www/peertube
That way, you can be absolutely sure nothing is going to get messed up with the install. Proceed from that point with the rest of the install.
Issue #3 – Prepping the production.yaml Correctly for Reverse Proxy
When you get to the point where you are to edit the production.yaml file, there are a few steps you need to take to make sure it is ready for setup and the reverse proxy.
To understand what I have set up, we’re going to assume we have two servers: one named 192.168.1.1, which is our internet-facing machine, and 192.168.1.2, which is the machine hosting the PeerTube instance. You are going to want 192.168.1.1 to be able to send all the traffic to the other machine.
Setting Up for Reverse Proxy
You will want to make sure the following is in the webserver portion of the YAML file.
webserver:
https: true
hostname: 'yourpeertube.instance'
port: 443
Though with many programs you can run behind a reverse proxy, the upstream machine doesn’t have to be on 443 as the SSL and security work is being handled on the machine taking the traffic. In the case of PeerTube, you must hand the traffic from 443 to 443 and have https set to true even though you do not have any certificates on the upstream location.
If you do not do this, you will get streaming errors with your HLS.js in the PeerTube log. They will look like:
HLS.js error: networkError - fatal: true - manifestLoadError
The other symptom is that your video will play in the browser you uploaded it to but not on any other machine or browser.
In the trust proxy: section, you want to add the line - '192.168.1.1' right under - 'loopback'. Pay attention to formatting as YAML needs the proper indentation.
The last part is to go to database: and make sure the correct password for your database you set up earlier is actually there. In my last three installation attempts, the instructions did not properly set the password. You can enter it manually.
Issue #4 – Proper Reverse Proxy with Nginx
This really isn’t an issue but more to save you time figuring out what needs to be proxy_pass to the upstream machine.
Upstream Machine
On the machine hosting, strip out all the SSL certificate markers and everything, but leave it listening to 443. (This includes the SSL and http2 after the port listening entry.)
It should look something like this:
server {
listen 443;
listen [::]:443;
server_name yourpeertube.instance;
# ... THE REST OF THE CONFIGURATION.
}
Do not worry about the SSL part. As a reminder, it’s going to be handled by the internet-facing machine. We are presently setting up the hosting machine.
Setting Up Internet-Facing Machine
This is a full example of the reverse proxy that has helped my server function. Please make sure to add your information where it says yourpeertube.instance.
server {
if ($host = yourpeertube.instance) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name yourpeertube.instance;
return 404;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourpeertube.instance;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "*";
ssl_certificate /etc/letsencrypt/live/yourpeertube.instance/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourpeertube.instance/privkey.pem;
location ~/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.4.2:443; # Make sure to change this to your actual internal IP
client_max_body_size 0;
}
}
Ending
There you have it. After I got this all setup, I was able to communicate with my server, upload videos, and the #fediverse portion worked to perfection. If you have any questions, you can reach out to me at my social media.
© Jonathan Snyder. All Rights Reserved.
Fediverse