upstream funkwhale-api { server ${FUNKWHALE_API_HOST}:${FUNKWHALE_API_PORT}; } # Required for websocket support. map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; charset utf-8; server_name _; add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "SAMEORIGIN" always; add_header Service-Worker-Allowed "/"; root /usr/share/nginx/html; # compression settings gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/javascript application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # end of compression settings location /api/ { include /etc/nginx/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. client_max_body_size ${NGINX_MAX_BODY_SIZE}; proxy_pass http://funkwhale-api; } location / { alias /usr/share/nginx/html/; expires 1d; try_files $uri $uri/ /index.html; } location = /embed.html { add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; alias /usr/share/nginx/html/embed.html; expires 1d; } location /federation/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } # You can comment this if you do not plan to use the Subsonic API. location /rest/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api/api/subsonic/rest/; } location /.well-known/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } location /media/ { alias ${MEDIA_ROOT}/; add_header Access-Control-Allow-Origin '*'; } # This is an internal location that is used to serve # media (uploaded) files once correct permission / authentication # has been checked on API side. # Comment the "NON-S3" commented lines and uncomment "S3" commented lines # if you're storing media files in a S3 bucket. location ~ /_protected/media/(.+) { internal; alias ${MEDIA_ROOT}/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. # proxy_set_header Authorization ""; # S3 # proxy_pass $1; # S3 add_header Access-Control-Allow-Origin '*'; } location /_protected/music/ { # This is an internal location that is used to serve # local music files once correct permission / authentication # has been checked on API side. # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. internal; alias ${MUSIC_DIRECTORY_PATH}/; add_header Access-Control-Allow-Origin '*'; } location /manifest.json { return 302 /api/v1/instance/spa-manifest.json; } }