funkwhale/front/docker/funkwhale.conf.template

upstream funkwhale-api {
    server ${FUNKWHALE_API_HOST}:${FUNKWHALE_API_PORT};
}


# Required for websocket support.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    server_name ${FUNKWHALE_HOSTNAME};

    root /usr/share/nginx/html;

    # If you are using S3 to host your files, remember to add your S3 URL to the
    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).

    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header X-Frame-Options "SAMEORIGIN" always;

    location / {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
        client_max_body_size ${NGINX_MAX_BODY_SIZE};
        proxy_pass   http://funkwhale-api/;
    }

    location /front/ {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Service-Worker-Allowed "/";
        alias /usr/share/nginx/html/;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location = /front/embed.html {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

        add_header X-Frame-Options "" always;
        alias /usr/share/nginx/html/embed.html;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location /federation/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/federation/;
    }

    # You can comment this if you do not plan to use the Subsonic API.
    location /rest/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

    location /.well-known/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/.well-known/;
    }

    location /media/ {
        alias ${MEDIA_ROOT}/;
    }

    # This is an internal location that is used to serve
    # media (uploaded) files once correct permission / authentication
    # has been checked on API side.
    # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
    # if you're storing media files in a S3 bucket.
    location ~ /_protected/media/(.+) {
        internal;
        alias   ${MEDIA_ROOT}/$1;                                           # NON-S3
        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
#       proxy_set_header Authorization "";                                  # S3
#       proxy_pass $1;                                                      # S3
    }

    location /_protected/music/ {
        # This is an internal location that is used to serve
        # local music files once correct permission / authentication
        # has been checked on API side.
        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
        internal;
        alias   ${MUSIC_DIRECTORY_PATH}/;
    }

    location /staticfiles/ {
        # Django static files
        alias ${STATIC_ROOT}/;
    }
}
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`upstream funkwhale-api {`
Allow frontend container to run as non-root user Also clean it up a bit 2022-07-09 13:42:56 +00:00			`server ${FUNKWHALE_API_HOST}:${FUNKWHALE_API_PORT};`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`}`

Better with HTTPS. Please generate certificates with Let's encrypt and remplace certs paths in the nginx configuration file. 2017-06-26 12:09:47 +00:00
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# Required for websocket support.`
Sample updates, changelog and documentation for channels and activity 2018-03-03 22:18:33 +00:00			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' close;`
			`}`

Better with HTTPS. Please generate certificates with Let's encrypt and remplace certs paths in the nginx configuration file. 2017-06-26 12:09:47 +00:00			`server {`
Fix #358: dockerized nginx to make deployment easier 2018-08-31 17:21:46 +00:00			`listen 80;`
			`server_name ${FUNKWHALE_HOSTNAME};`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00
Rework Docker Deployment and add frontend container 2022-06-28 13:55:54 +00:00			`root /usr/share/nginx/html;`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00
Added documentation and notes about S3 content headers 2019-08-19 08:09:08 +00:00			`# If you are using S3 to host your files, remember to add your S3 URL to the`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).`
Added documentation and notes about S3 content headers 2019-08-19 08:09:08 +00:00
Rework Docker Deployment and add frontend container 2022-06-28 13:55:54 +00:00			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";`
See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work 2019-07-18 09:08:18 +00:00			`add_header Referrer-Policy "strict-origin-when-cross-origin";`
Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages 2021-10-20 18:59:00 +00:00			`add_header X-Frame-Options "SAMEORIGIN" always;`
See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work 2019-07-18 09:08:18 +00:00
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`location / {`
Moved commen nginx configuration in a dedicated snippet 2018-03-04 15:58:37 +00:00			`include /etc/nginx/funkwhale_proxy.conf;`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# This is needed if you have file import via upload enabled.`
Fix #358: dockerized nginx to make deployment easier 2018-08-31 17:21:46 +00:00			`client_max_body_size ${NGINX_MAX_BODY_SIZE};`
See #578: added opengraph and oembed data on artist / album / track urls 2018-12-19 13:04:26 +00:00			`proxy_pass http://funkwhale-api/;`
			`}`

			`location /front/ {`
Rework Docker Deployment and add frontend container 2022-06-28 13:55:54 +00:00			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";`
See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work 2019-07-18 09:08:18 +00:00			`add_header Referrer-Policy "strict-origin-when-cross-origin";`
Fixed issue with service worker scope 2020-01-09 14:23:37 +00:00			`add_header Service-Worker-Allowed "/";`
Rework Docker Deployment and add frontend container 2022-06-28 13:55:54 +00:00			`alias /usr/share/nginx/html/;`
Added caching headers on front urls 2018-12-20 14:59:55 +00:00			`expires 30d;`
			`add_header Pragma public;`
			`add_header Cache-Control "public, must-revalidate, proxy-revalidate";`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`}`
Updated example nginx deployment conf for transcoding 2018-02-19 19:20:49 +00:00
Fix nitpicks in nginx configs (#1730) NOCHANGELOG 2022-04-26 16:03:09 +00:00			`location = /front/embed.html {`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";`
See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work 2019-07-18 09:08:18 +00:00			`add_header Referrer-Policy "strict-origin-when-cross-origin";`

Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages 2021-10-20 18:59:00 +00:00			`add_header X-Frame-Options "" always;`
Rework Docker Deployment and add frontend container 2022-06-28 13:55:54 +00:00			`alias /usr/share/nginx/html/embed.html;`
See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work 2019-07-18 09:08:18 +00:00			`expires 30d;`
			`add_header Pragma public;`
			`add_header Cache-Control "public, must-revalidate, proxy-revalidate";`
			`}`

Nginx conf and upgrade notes to prepare federation 2018-03-29 21:38:33 +00:00			`location /federation/ {`
			`include /etc/nginx/funkwhale_proxy.conf;`
			`proxy_pass http://funkwhale-api/federation/;`
			`}`

refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# You can comment this if you do not plan to use the Subsonic API.`
Fix #249: Added missing subsonic configuration block in deployment vhost files 2018-05-29 16:12:46 +00:00			`location /rest/ {`
			`include /etc/nginx/funkwhale_proxy.conf;`
			`proxy_pass http://funkwhale-api/api/subsonic/rest/;`
			`}`

See #192: updated sample nginx/apache conf for well-known endpoints 2018-05-07 20:29:22 +00:00			`location /.well-known/ {`
Nginx conf and upgrade notes to prepare federation 2018-03-29 21:38:33 +00:00			`include /etc/nginx/funkwhale_proxy.conf;`
See #192: updated sample nginx/apache conf for well-known endpoints 2018-05-07 20:29:22 +00:00			`proxy_pass http://funkwhale-api/.well-known/;`
Nginx conf and upgrade notes to prepare federation 2018-03-29 21:38:33 +00:00			`}`

Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`location /media/ {`
Fix #358: dockerized nginx to make deployment easier 2018-08-31 17:21:46 +00:00			`alias ${MEDIA_ROOT}/;`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`}`
Fixed #15: Ensure we check for authorization for serving audio files, meaning we don't leak the absolute URL anymore 2017-06-28 21:30:26 +00:00
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# This is an internal location that is used to serve`
			`# media (uploaded) files once correct permission / authentication`
			`# has been checked on API side.`
			`# Comment the "NON-S3" commented lines and uncomment "S3" commented lines`
			`# if you're storing media files in a S3 bucket.`
fix(front/Docker): fixup of issue introduced in !1897 2022-07-26 21:25:14 +00:00			`location ~ /_protected/media/(.+) {`
Revert "Remove obsolete /_protected/media config" This reverts commit f13a1d2445294b271601fdc45bd4ead165a90081 2018-06-19 08:13:34 +00:00			`internal;`
fix(front/Docker): fixup of issue introduced in !1897 2022-07-26 21:25:14 +00:00			`alias ${MEDIA_ROOT}/$1; # NON-S3`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.`
			`# proxy_set_header Authorization ""; # S3`
			`# proxy_pass $1; # S3`
Revert "Remove obsolete /_protected/media config" This reverts commit f13a1d2445294b271601fdc45bd4ead165a90081 2018-06-19 08:13:34 +00:00			`}`

Fix nitpicks in nginx configs (#1730) NOCHANGELOG 2022-04-26 16:03:09 +00:00			`location /_protected/music/ {`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# This is an internal location that is used to serve`
			`# local music files once correct permission / authentication`
			`# has been checked on API side.`
			`# Set this to the same value as your MUSIC_DIRECTORY_PATH setting.`
Documentation update for the new in-place import 2018-04-21 17:30:55 +00:00			`internal;`
fix(front/nginx): fix 404 response on listen URLs 2022-07-09 15:11:20 +00:00			`alias ${MUSIC_DIRECTORY_PATH}/;`
Documentation update for the new in-place import 2018-04-21 17:30:55 +00:00			`}`

Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`location /staticfiles/ {`
refactor(front/Docker): cleanup nginx-based container 2022-07-19 23:31:28 +00:00			`# Django static files`
Fix #358: dockerized nginx to make deployment easier 2018-08-31 17:21:46 +00:00			`alias ${STATIC_ROOT}/;`
Docker setup is officialy documented! :heart: 2017-06-25 21:02:36 +00:00			`}`
			`}`