Add nginx as cache for images and other small, static files

docker-compose.yaml

@@ -12,20 +12,32 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
       - ./volumes/traefik/acme.json:/etc/acme.json
       - ./traefik.toml:/traefik.toml
+    depends_on:
+      - cache
     restart: "always"
     # If you want to use the Traefik dashboard, you should expose it on a 
     # subdomain with HTTPS and authentification:
     # https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
     # https://github.com/containous/traefik/issues/880#issuecomment-310301168
 
+  cache:
+    image: nginx:1.15-alpine
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+    labels:
+      traefik.enable: "true"
+      traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
+      traefik.port: "9000"
+    depends_on:
+      - peertube
+    restart: "always"
+
   peertube:
     image: chocobozzz/peertube:v1.2.1-stretch
     env_file:
       - .env
     labels:
-      traefik.enable: "true"
+      traefik.enable: "false"
-      traefik.frontend.rule: "Host:${PEERTUBE_WEBSERVER_HOSTNAME}"
-      traefik.port: "9000"
     volumes:
       - ./volumes/data:/data
       - /mnt/external:/data-external
@@ -38,23 +50,19 @@ services:
 
   postgres:
     image: postgres:10-alpine
-    environment:
-#      POSTGRES_USER: ${PEERTUBE_DB_USERNAME}
-#      POSTGRES_PASSWORD: ${PEERTUBE_DB_PASSWORD}
-      POSTGRES_DB: peertube
     volumes:
       - ./volumes/db:/var/lib/postgresql/data
-    restart: "always"
     labels:
       traefik.enable: "false"
+    restart: "always"
 
   redis:
     image: redis:5-alpine
     volumes:
       - ./volumes/redis:/data
-    restart: "always"
     labels:
-      - "traefik.enable=false"
+      traefik.enable: "false"
+    restart: "always"
 
   postfix:
     image: mwader/postfix-relay

nginx.conf

@@ -0,0 +1,47 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=peertube_cache:10m max_size=15g inactive=7d use_temp_path=off;
+
+    server {
+        listen 9000;
+
+        # Hide nginx version
+        server_tokens off;
+
+        # Enable compression for JS/CSS/HTML bundle, for improved client load times.
+        # It might be nice to compress JSON, but leaving that out to protect against potential
+        # compression+encryption information leak attacks like BREACH.
+        gzip on;
+        gzip_types text/css application/javascript;
+        gzip_vary on;
+
+        # Enable HSTS
+        # Tells browsers to stick with HTTPS and never visit the insecure HTTP
+        # version. Once a browser sees this header, it will only visit the site over
+        # HTTPS for the next 2 years: (read more on hstspreload.org)
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+        location / {
+            proxy_pass http://peertube:9000;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            client_max_body_size  600M;
+            proxy_connect_timeout 600;
+            proxy_send_timeout    600;
+            proxy_read_timeout    600;
+            send_timeout          600;
+        }
+        location ~ ^/(static/(thumbnails|previews|avatars)|client)/ {
+            proxy_cache             peertube_cache;
+            proxy_cache_use_stale   error timeout http_500 http_502 http_503 http_504;
+            proxy_cache_revalidate  on;
+            proxy_cache_min_uses    3;
+            proxy_cache_lock        on;
+            add_header              X-Cached $upstream_cache_status;
+        }
+    }
+}