fix(nginx): expose only subdirectories of /media

changes/changelog.d/public-media.bugfix

@@ -0,0 +1 @@
+Fixes an issue which made it possible to download all media files without access control (#2101)

deploy/nginx.template

@@ -120,8 +120,15 @@ server {
         proxy_pass   http://funkwhale-api;
     }
 
-    location /media/ {
-        alias ${MEDIA_ROOT}/;
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias ${MEDIA_ROOT}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias ${MEDIA_ROOT}/attachments/;
         add_header Access-Control-Allow-Origin '*';
     }
 

docker/nginx/conf.dev

@@ -112,8 +112,15 @@ http {
             proxy_pass   http://funkwhale-api;
         }
 
-        location /media/ {
-            alias /protected/media/;
+        # Allow direct access to only specific subdirectories in /media
+        location /media/__sized__/ {
+            alias /protected/media/__sized__/;
+            add_header Access-Control-Allow-Origin '*';
+        }
+
+        # Allow direct access to only specific subdirectories in /media
+        location /media/attachments/ {
+            alias /protected/media/attachments/;
             add_header Access-Control-Allow-Origin '*';
         }
 

front/docker/funkwhale.conf.template

@@ -85,8 +85,15 @@ server {
         proxy_pass   http://funkwhale-api;
     }
 
-    location /media/ {
-        alias ${MEDIA_ROOT}/;
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias ${MEDIA_ROOT}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias ${MEDIA_ROOT}/attachments/;
         add_header Access-Control-Allow-Origin '*';
     }