Simplified and less error-prone nginx setup (#358) Simplified nginx setup [Docker: Manual action required] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ We've received a lot of user feedback regarding our installation process, and it seems the proxy part is the one which is the most confusing and difficult. Unfortunately, this is also the one where errors and mistakes can completely break the application. To make things easier for everyone, we now offer a simplified deployment process for the reverse proxy part. This will make upgrade of the proxy configuration significantly easier on docker deployments. On non-docker instances, you have nothing to do. If you have a dockerized instance, here is the upgrade path. First, tweak your .env file:: # remove the FUNKWHALE_URL variable # and add the next variables FUNKWHALE_HOSTNAME=yourdomain.funkwhale FUNKWHALE_PROTOCOL=https # add the following variable, matching the path your app is deployed # leaving the default should work fine if you deployed using the same # paths as the documentation FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist Then, add the following block at the end of your docker-compose.yml file:: # existing services api: ... celeryworker: ... # new service nginx: image: nginx env_file: - .env environment: # Override those variables in your .env file if needed - "NGINX_MAX_BODY_SIZE=${NGINX_MAX_BODY_SIZE-30M}" volumes: - "./nginx/funkwhale.template:/etc/nginx/conf.d/funkwhale.template:ro" - "./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro" - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:ro" - "${MEDIA_ROOT}:${MEDIA_ROOT}:ro" - "${STATIC_ROOT}:${STATIC_ROOT}:ro" - "${FUNKWHALE_FRONTEND_PATH}:/frontend:ro" ports: # override those variables in your .env file if needed - "${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}:80" command: > sh -c "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\" < /etc/nginx/conf.d/funkwhale.template > /etc/nginx/conf.d/default.conf && cat /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" links: - api By doing that, you'll enable a dockerized nginx that will automatically be configured to serve your Funkwhale instance. Download the required configuration files for the nginx container: .. parsed-literal:: cd /srv/funkwhale mkdir nginx curl -L -o nginx/funkwhale.template "https://code.eliotberriot.com/funkwhale/funkwhale/raw/|version|/deploy/docker.nginx.template" curl -L -o nginx/funkwhale_proxy.conf "https://code.eliotberriot.com/funkwhale/funkwhale/raw/|version|/deploy/funkwhale_proxy.conf" Update the funkwhale.conf configuration of your server's reverse-proxy:: # the file should match something like that, upgrade all variables # between ${} to match the ones in your .env file, # and your SSL configuration if you're not using let's encrypt # The important thing is that you only have a single location block # that proxies everything to your dockerized nginx. sudo nano /etc/nginx/sites-enabled/funkwhale.conf upstream fw { # depending on your setup, you may want to update this server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; server_name ${FUNKWHALE_HOSTNAME}; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; listen [::]:443 ssl; server_name ${FUNKWHALE_HOSTNAME}; # TLS ssl_protocols TLSv1.2; ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem; # HSTS add_header Strict-Transport-Security "max-age=31536000"; location / { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://fw/; } } Check that your configuration is valid then reload: sudo nginx -t sudo systemctl reload nginx