VIdeo Too Large

midway

I first tried out PeerTube via Cloudron on a VSP and it seemed to work fine. So I set it up on my own system and it all seemed to install fine, but I try to upload even a reasonably sized video and it says it's too big. No quota on the user and nginx looks okay from my end, but I'll post the config here just in case I missed something. File is about 45MB, so not very big.

Any ideas?

http://nginx.org/en/docs/http/websocket.html

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

Allow apps to override this https://stackoverflow.com/questions/13583501/nginx-how-to-add-header-if-it-is-not-set

map $upstream_http_referrer_policy $hrp {
default $upstream_http_referrer_policy;
"" "same-origin";
}

http server

server {
# note listen [::]:80 only listens on ipv6 since ipv6only=on since nginx 1.3.4. listen 80 listens on ipv4 only
listen 80;
server_name tube.cloud.midwaytrades.com;
listen [::]:80;

server_tokens off; # hide version

# acme challenges
location /.well-known/acme-challenge/ {
    default_type text/plain;
    alias /home/yellowtent/platformdata/acme/;
}

location /notfound.html {
    root /home/yellowtent/box/dashboard/dist;
    try_files /notfound.html =404;
    internal;
}

# for default server, serve the notfound page. for other endpoints, redirect to HTTPS
location / {

    return 301 https://$host$request_uri;

}

}

https server

server {
listen 443 ssl http2;
server_name tube.cloud.midwaytrades.com;
listen [::]:443 ssl http2;

server_tokens off; # hide version

# paths are relative to prefix and not to this file
ssl_certificate      /home/yellowtent/platformdata/nginx/cert/_.cloud.midwaytrades.com.cert;
ssl_certificate_key  /home/yellowtent/platformdata/nginx/cert/_.cloud.midwaytrades.com.key;
ssl_session_timeout  5m;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy
# ciphers according to https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1&guideline=5.4
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers off;

# some apps have underscores in headers. this is apparently disabled by default because of some legacy CGI compat
underscores_in_headers on;

# dhparams is generated only after dns setup
ssl_dhparam /home/yellowtent/platformdata/dhparams.pem;

proxy_hide_header Strict-Transport-Security;
    add_header Strict-Transport-Security "max-age=63072000";

    # OCSP. LE certs are generated with must-staple flag so clients can enforce OCSP
ssl_stapling on;
ssl_stapling_verify on;


# https://github.com/twitter/secureheaders
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
add_header X-XSS-Protection "1; mode=block";
proxy_hide_header X-XSS-Protection;
add_header X-Download-Options "noopen";
proxy_hide_header X-Download-Options;
add_header X-Content-Type-Options "nosniff";
proxy_hide_header X-Content-Type-Options;
add_header X-Permitted-Cross-Domain-Policies "none";
proxy_hide_header X-Permitted-Cross-Domain-Policies;

# See header handling from upstream on top of this file
add_header Referrer-Policy $hrp;
proxy_hide_header Referrer-Policy;

# gzip responses that are > 50k and not images
gzip on;
gzip_min_length 18k;
gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json;

# enable for proxied requests as well
gzip_proxied any;






proxy_http_version 1.1;
# intercept errors (>= 400) and use the error_page handler
proxy_intercept_errors on;
# nginx will return 504 on connect/timeout errors
proxy_read_timeout       3500;
proxy_connect_timeout    3250;

proxy_set_header   Host               $host;
proxy_set_header   X-Real-IP          $remote_addr;
proxy_set_header   X-Forwarded-For    $remote_addr;
proxy_set_header   X-Forwarded-Host   $host;
proxy_set_header   X-Forwarded-Port   $server_port;
proxy_set_header   X-Forwarded-Proto  https;
proxy_set_header   X-Forwarded-Ssl    on;

# upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# only serve up the status page if we get proxy gateway errors
root /home/yellowtent/box/dashboard/dist;
# some apps use 503 to indicate updating or maintenance
error_page 502 504 /app_error_page;
location /app_error_page {
    root /home/yellowtent/boxdata;
    # the first argument looks for file under the root
    try_files /custom_pages/$request_uri /custom_pages/app_not_responding.html /appstatus.html;
    # internal means this is for internal routing and cannot be accessed as URL from browser
    internal;
}

location @wellknown-upstream {

    proxy_pass http://172.18.18.9:80;

}

# user defined .well-known resources
location /.well-known/ {
    error_page 404 = @wellknown-upstream;
    proxy_pass http://127.0.0.1:3000/well-known-handler/;
}

# increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
proxy_buffer_size       128k;
proxy_buffers           4 256k;
proxy_busy_buffers_size 256k;

# No buffering to temp files, it fails for large downloads
proxy_max_temp_file_size 0;

# Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
client_max_body_size 0;




location = /appstatus.html {
    root /home/yellowtent/box/dashboard/dist;
}


location / {
    proxy_pass http://172.18.18.9:80;
}

}

nebulon

Not sure I understand the issue fully, are you asking about uploads not working for Peertube installed on Cloudron or on another server without Cloudron?

midway

Both are with Cloudron. The one that's working is on a VPS, the one that's stopping me from uploading is locally hosted. Trying to figure out where the difference may be.

Thanks

girish

@midway Cloudron package is opensource . So, maybe you can take a look at that one - https://git.cloudron.io/cloudron/peertube-app/ . There is a nginx folder with the config.

nebulon

@midway if this problem only arises when hosting it locally, do you have any other firewall or proxy in front of that server, which could interfere here?

midway

Sorry for the delay, I was out of town. I do have an nginx reverse proxy in front of it, but I don't see anything in the config would restrict that. It's pretty simple:

server {

server_name tube.midwaytrades.com;

location / {
    proxy_pass https://tube.midwaytrades.com;
    proxy_set_header Host $host;
}



listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tube.midwaytrades.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tube.midwaytrades.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = tube.midwaytrades.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name tube.midwaytrades.com;
listen 80;
return 404; # managed by Certbot

}

I will try to bypass it and see if it makes a difference but if you see anything in there that would mess with that, let me know. Thanks!

midway

Just did a check and when I bypass the reverse proxy it seems to work. Anyone have an idea why that would be? I have the config posted above. Argh!

midway

I think I figured it out. Apparently there's a really low default if you don't explicitly set a max size via client_max_body_size. Setting that explicitly seemed to work.

Thanks folks. Sometimes you just need to bounce stuff off people to get to the right place.