SSL errors & socket.io 400 (Bad Request) everywhere

[lowgos]

What happened? I'm testing Peertube at my job. Everything seems to work. I disabled the Tracker to limit traffic (and it seems to work too). Accounts work, videos too.

BUT I'm having lots and lots of errors in the JavaScript console :

GET https://<my-url>/socket.io/?accessToken=<access-token>&transport=polling&t=... 400 (Bad Request)

AND I think the real problem lies in my nginx configuration because on video I uploaded using a file (importing a video from YouTube doesn't trigger the console error) I get this:

OPTIONS https://<my-url>:80/static/webseed/<video-id>.mp4 net::ERR_SSL_PROTOCOL_ERROR
HEAD https://<my-url>:80/static/webseed/<video-id>.mp4 net::ERR_SSL_PROTOCOL_ERROR

Noticed the :80 in the URL ?

What do you expect to happen instead? I think the socket.io isn't working at all. I'm guessing it's used for some feature of Peertube I don't use/I haven't tested and I would like to clean this bug.

But about the net::ERR_SSL_PROTOCOL_ERROR, remove the :80 in the URL fixes the issue. It goes to the video ! It means that somewhere the :80 is added to some URLs and I don't know where/why.

Steps to reproduce:

1. Install Peertube with Production Guide (slightly tweaked, cf. Additional information)

2. Connect your account, root or not (the bug doesn't appear for guests)

3. Check browser console, 400 Bad Request everywhere and following the link displays Bad Request too

Additional information

• PeerTube version or URL: latest version, v1.3.1
• Browser name/version: latest Chrome, Firefox and Safari
• NodeJS version: v10.16.0
• I have a nginx configuration on the load balancer of my company AND a nginx configuration on the Virtual Machine where Peertube is launched.
• I will drop the nginx configurations below.
• I will drop the production configuration below too.

[lowgos]

/var/www/peertube/config/production.yaml

listen:
  hostname: 'localhost'
  port: 9000

# Correspond to your reverse proxy server_name/listen configuration
webserver:
  https: true
  hostname: peertube.XX.fr
  port: 443

rates_limit:
  login:
    # 15 attempts in 5 min
    window: 5 minutes
    max: 15
  ask_send_email:
    # 3 attempts in 5 min
    window: 5 minutes
    max: 3

# Proxies to trust to get real client IP
# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
trust_proxy:
  - 'loopback'

# Your database name will be "peertube"+database.suffix
database:
  hostname: '/var/run/postgresql'
  port: 5432
  suffix: '_prod'
  username: 'peertube'
  password: 'peertube'
  pool:
    max: 5

# Redis server for short time storage
# You can also specify a 'socket' path to a unix socket but first need to
# comment out hostname and port
redis:
  hostname: 'localhost'
  port: 6379
  auth: null
  db: 0

# SMTP server to send emails
smtp:
  hostname: null
  port: 465 # If you use StartTLS: 587
  username: null
  password: null
  tls: true # If you use StartTLS: false
  disable_starttls: false
  ca_file: null # Used for self signed certificates
  from_address: 'admin@example.com'

# From the project root directory
storage:
  tmp: '/var/www/peertube/storage/tmp/' # Used to download data (imports etc), store uploaded files before processing...
  avatars: '/var/www/peertube/storage/avatars/'
  videos: '/var/www/peertube/storage/videos/'
  streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
  redundancy: '/var/www/peertube/storage/videos/'
  logs: '/var/www/peertube/storage/logs/'
  previews: '/var/www/peertube/storage/previews/'
  thumbnails: '/var/www/peertube/storage/thumbnails/'
  torrents: '/var/www/peertube/storage/torrents/'
  captions: '/var/www/peertube/storage/captions/'
  cache: '/var/www/peertube/storage/cache/'

log:
  level: 'info' # debug/info/warning/error

search:
  # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
  # If enabled, the associated group will be able to "escape" from the instance follows
  # That means they will be able to follow channels, watch videos, list videos of non followed instances
  remote_uri:
    users: true
    anonymous: false

trending:
  videos:
    interval_days: 7 # Compute trending videos for the last x days

# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
redundancy:
  videos:
    check_interval: '1 hour' # How often you want to check new videos to cache
    strategies: # Just uncomment strategies you want
#      -
#        size: '10GB'
#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
#        min_lifetime: '48 hours'
#        strategy: 'most-views' # Cache videos that have the most views
#      -
#        size: '10GB'
#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
#        min_lifetime: '48 hours'
#        strategy: 'trending' # Cache trending videos
#      -
#        size: '10GB'
#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
#        min_lifetime: '48 hours'
#        strategy: 'recently-added' # Cache recently added videos
#        min_views: 10 # Having at least x views

csp:
  enabled: false
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:

tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: false
  # Only handle requests on your videos.
  # If you set this to false it means you have a public tracker.
  # Then, it is possible that clients overload your instance with external torrents
  private: true
  # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
  reject_too_many_announces: false

history:
  videos:
    # If you want to limit users videos history
    # -1 means there is no limitations
    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
    max_age: -1

views:
  videos:
    # PeerTube creates a database entry every hour for each video to track views over a period of time
    # This is used in particular by the Trending page
    # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
    # -1 means no cleanup
    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
    remote:
      max_age: -1

###############################################################################
#
# From this point, all the following keys can be overridden by the web interface
# (local-production.json file). If you need to change some values, prefer to
# use the web interface because the configuration will be automatically
# reloaded without any need to restart PeerTube.
#
# /!\ If you already have a local-production.json file, the modification of the
# following keys will have no effect /!\.
#
###############################################################################

cache:
  previews:
    size: 500 # Max number of previews you want to cache
  captions:
    size: 500 # Max number of video captions/subtitles you want to cache

admin:
  # Used to generate the root user at first startup
  # And to receive emails from the contact form
  email: 'admin@example.com'

contact_form:
  enabled: false

signup:
  enabled: true
  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
  requires_email_verification: false
  filters:
    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
      whitelist: []
      blacklist: []

user:
  # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
  # -1 == unlimited
  video_quota: -1
  video_quota_daily: -1

# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
# Please, do not disable transcoding since many uploaded videos will not work
transcoding:
  enabled: true
  # Allow your users to upload .mkv, .mov, .avi, .flv videos
  allow_additional_extensions: true
  threads: 1
  resolutions: # Only created if the original video has a higher resolution, uses more storage!
    240p: true
    360p: true
    480p: true
    720p: true
    1080p: true
  # /!\ EXPERIMENTAL /!\
  # /!\ Requires ffmpeg >= 4
  # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
  #     * Resolution change is smoother
  #     * Faster playback in particular with long videos
  #     * More stable playback (less bugs/infinite loading)
  # /!\ Multiplies videos storage by 2 /!\
  hls:
    enabled: false

import:
  # Add ability for your users to import remote videos (from YouTube, torrent...)
  videos:
    http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
      enabled: true
    torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
      enabled: false

auto_blacklist:
  # New videos automatically blacklisted so moderators can review before publishing
  videos:
    of_users:
      enabled: false

# Instance settings
instance:
  name: 'peertube.XX.fr'
  short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
  description: '' # Support markdown
  terms: '' # Support markdown
  default_client_route: '/videos/trending'
  # Whether or not the instance is dedicated to NSFW content
  # Enabling it will allow other administrators to know that you are mainly federating sensitive content
  # Moreover, the NSFW checkbox on video upload will be automatically checked by default
  is_nsfw: false
  # By default, "do_not_list" or "blur" or "display" NSFW videos
  # Could be overridden per user with a setting
  default_nsfw_policy: 'do_not_list'
  customizations:
    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
  robots: |
    User-agent: *
    Disallow:
  # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string.
  securitytxt:
    "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"

services:
  # You can provide a reporting endpoint for Content Security Policy violations
  csp-logger:
  # Cards configuration to format video in Twitter
  twitter:
    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
    # If false, we use an image link card that will redirect on your PeerTube instance
    # Test on https://cards-dev.twitter.com/validator to see if you are whitelisted
    whitelisted: false

followers:
  instance:
    # Allow or not other instances to follow yours
    enabled: false
    # Whether or not an administrator must manually validate a new follower
    manual_approval: true

/etc/nginx/sites-available/default

Slightly tweaked from the Production Guide because we've got load balancers before virtual machines handling the SSL Certificates etc

server {
listen 80;
listen [::]:80;
server_name peertube.XX.fr;

access_log /var/log/nginx/peertube.example.com.access.log; error_log /var/log/nginx/peertube.example.com.error.log;

Enable compression for JS/CSS/HTML bundle, for improved client load times.

It might be nice to compress JSON, but leaving that out to protect against potential

compression+encryption information leak attacks like BREACH.

gzip on; gzip_types text/css application/javascript; gzip_vary on;

Bypass PeerTube for performance reasons. Could be removed

location ~ ^/client/(.*.(js|css|woff2|otf|ttf|woff|eot))$ { add_header Cache-Control "public, max-age=31536000, immutable";

alias /var/www/peertube/peertube-latest/client/dist/$1;

}

Bypass PeerTube for performance reasons. Could be removed

location ~ ^/static/(thumbnails|avatars)/ { if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; }

add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

# Cache 2 hours
add_header Cache-Control "public, max-age=7200";

root /var/www/peertube/storage;

rewrite ^/static/(thumbnails|avatars)/(.*)$ /$1/$2 break;
try_files $uri /;

}

location / { proxy_pass http://localhost:9000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# This is the maximum upload size, which roughly matches the maximum size of a video file
# you can send via the API or the web interface. By default this is 8GB, but administrators
# can increase or decrease the limit. Currently there's no way to communicate this limit
# to users automatically, so you may want to leave a note in your instance 'about' page if
# you change this.
#
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
#
client_max_body_size 8G;

proxy_connect_timeout       600;
proxy_send_timeout          600;
proxy_read_timeout          600;
send_timeout                600;

}

Bypass PeerTube for performance reasons. Could be removed

location ~ ^/static/(webseed|redundancy)/ {

Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client

limit_rate 800k;

if ($request_method = 'OPTIONS') {
  add_header 'Access-Control-Allow-Origin' '*';
  add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
  add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
  add_header 'Access-Control-Max-Age' 1728000;
  add_header 'Content-Type' 'text/plain charset=UTF-8';
  add_header 'Content-Length' 0;
  return 204;
}

if ($request_method = 'GET') {
  add_header 'Access-Control-Allow-Origin' '*';
  add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
  add_header 'Access-Control-Allow-Headers' 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

  # Don't spam access log file with byte range requests
  access_log off;
}

root /var/www/peertube/storage;

rewrite ^/static/webseed/(.*)$ /videos/$1 break;
rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;

try_files $uri /;

}

Websocket tracker

location /tracker/socket {

Peers send a message to the tracker every 15 minutes

# Don't close the websocket before this time
proxy_read_timeout 1200s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9000;

}

location /socket.io { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host;

proxy_pass http://localhost:9000;

# enable WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

} }

# Load balancers nginx configuration
``` nginx
server {
    listen 80;
    ssl on;
    server_name    peertube.XX.fr;
    rewrite ^ https://peertube.XX.fr$request_uri? permanent;
}

server {
    listen 443 ssl;
    ssl on;
    server_name peertube.XX.fr;
    client_max_body_size 0;
    keepalive_timeout 70;

    try_files $uri @app;
    location / {
        if ( $staff = 0 ) {
            return 403;
        }
        add_header              Access-Control-Allow-Origin "*";
        proxy_set_header        Upgrade websocket;
        proxy_set_header        Accept-Encoding                     "";
        proxy_set_header        X-Read-IP                           $http_x_real_ip;
        proxy_set_header        Host                                $host;
        proxy_set_header        X-Forwarded-For                     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto                   $scheme;
        proxy_http_version      1.1;
        proxy_set_header        Upgrade                             $http_upgrade;
        proxy_set_header        Connection                          $connection_upgrade;
        proxy_connect_timeout   600;
        proxy_read_timeout      600;
        proxy_redirect          off;
        proxy_pass              http://<my-ip-address>;
    }
}

Keep in mind that the SSL certificates instructions are above in the global nginx configuration because it's global to the company and not specific to my subdomain

[lowgos]

Thanks in advance for your time 💌

[Chocobozzz]

Hi,

I think you have two different issues. Regarding the second one (HEAD https://<my-url>:80/static/webseed/<video-id>.mp4 net::ERR_SSL_PROTOCOL_ERROR), it seems you imported the file when peertube was started with an invalid configuration port. Try to run update-host to regenerate the torrents with your current configuration (so the script will update the URLs and remove the :80 port).

For the first one, do you still have these errors if you bypass the load balancer?

[lowgos]

Okay ! It indeed fixed the :80 issue. The dumbest thing is that I've played with update-host when I first installed Peertube to run some tests. Thank you for this one ! Still having the socket.io errors though.

PS: sorry for the double issue 🤦‍♂

[Chocobozzz]

@lowgos And for For the first one, do you still have these errors if you bypass the load balancer??

If the answer is yes, please send me your instance URL by email (in my github profile)

[lowgos]

Sorry for not seeing the last sentence of your answer. I was eager to test your solution and seeing it work sent me elsewhere.

I'm getting back on you as soon as possible via email because I need to get in touch with another team at my job to test your idea. I didn't test (exactly this) before because I needed https to use your production nginx configuration and bypassing the load balancer completely would mean having to setup another SSL Certificates etc etc

Thanks for the help. Talk to you in a few hours/tomorrow depending on the availability of the team.

[lowgos]

Hey everyone !

Sorry about the wait. I'm a bit stuck about this. I still have 400 Bad Request on socket.io despite every configuration I tried.

I asked the server team if we could bypass the load balancers but I have a bad news. We paused our use of Peertube. I'm searching for a way to use it in our workflow here. I'm still stuck with Peertube not having OAuth and internal mode for videos. Until we decide how to solve this problem with Peertube (maybe by contributing to the project, that's what I am aiming for) I cannot test things further.

Feel free to pause the issue/close it for some time. I'm getting back to you as soon as the decision has been settled.

Thanks for your great work. I'm loving everything I achieved using this project even though it's not in the perfect state for our use.

[Chocobozzz]

Closing, if you have news please ask for reopening :)