# Ensure you update at least the server_name variables to match your own # transcode cache proxy_cache_path /tmp/funkwhale-transcode levels=1:2 keys_zone=transcode:10m max_size=1g inactive=7d; # domain upstream funkwhale-api { # depending on your setup, you may want to udpate this server localhost:5000; } server { listen 80; listen [::]:80; # update this to match your instance name server_name demo.funkwhale.audio; # useful for Let's Encrypt location /.well-known/acme-challenge/ { allow all; } location / { return 301 https://$host$request_uri; } } # required for websocket support map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # update this to match your instance name server_name demo.funkwhale.audio; # TLS # Feel free to use your own configuration for SSL here or simply remove the # lines and move the configuration to the previous server block if you # don't want to run funkwhale behind https (this is not recommanded) # have a look here for let's encrypt configuration: # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx ssl_protocols TLSv1.2; ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/letsencrypt/live/demo.funkwhale.audio/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/demo.funkwhale.audio/privkey.pem; # HSTS add_header Strict-Transport-Security "max-age=31536000"; root /srv/funkwhale/front/dist; # global proxy conf proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Port $server_port; proxy_redirect off; # websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; location / { try_files $uri $uri/ @rewrites; } location @rewrites { rewrite ^(.+)$ /index.html last; } location /api/ { # this is needed if you have file import via upload enabled client_max_body_size 30M; proxy_pass http://funkwhale-api/api/; } location /media/ { alias /srv/funkwhale/data/media/; } location /_protected/media { # this is an internal location that is used to serve # audio files once correct permission / authentication # has been checked on API side internal; alias /srv/funkwhale/data/media; } # Transcoding logic and caching location = /transcode-auth { # needed so we can authenticate transcode requests, but still # cache the result internal; set $query ''; # ensure we actually pass the jwt to the underlytin auth url if ($request_uri ~* "[^\?]+\?(.*)$") { set $query $1; } proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Port $server_port; proxy_pass http://funkwhale-api/api/v1/trackfiles/viewable/?$query; proxy_pass_request_body off; proxy_set_header Content-Length ""; } location /api/v1/trackfiles/transcode/ { # this block deals with authenticating and caching transcoding # requests. Caching is heavily recommended as transcoding # is a CPU intensive process. auth_request /transcode-auth; if ($args ~ (.*)jwt=[^&]*(.*)) { set $cleaned_args $1$2; } proxy_cache_key "$scheme$request_method$host$uri$is_args$cleaned_args"; proxy_cache transcode; proxy_cache_valid 200 7d; proxy_ignore_headers "Set-Cookie"; proxy_hide_header "Set-Cookie"; add_header X-Cache-Status $upstream_cache_status; proxy_pass http://funkwhale-api; } # end of transcoding logic location /staticfiles/ { # django static files alias /srv/funkwhale/data/static/; } }