funkwhale/docker/nginx/conf.dev

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    upstream funkwhale-api {
        server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
    }
    upstream funkwhale-front {
        server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
    }

    # Required for websocket support.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen      80;
        listen [::]:80;
        charset     utf-8;
        client_max_body_size ${NGINX_MAX_BODY_SIZE};
        include /etc/nginx/funkwhale_proxy.conf;

        add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header Service-Worker-Allowed "/";

        # compression settings
        gzip on;
        gzip_comp_level    5;
        gzip_min_length    256;
        gzip_proxied       any;
        gzip_vary          on;

        gzip_types
            application/javascript
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
            text/x-cross-domain-policy;
        # end of compression settings

        location /api/ {
            include /etc/nginx/funkwhale_proxy.conf;
            # This is needed if you have file import via upload enabled.
            client_max_body_size ${NGINX_MAX_BODY_SIZE};
            proxy_pass   http://funkwhale-api;
        }

        location / {
            proxy_pass   http://funkwhale-front;
            expires 1d;
        }

        location = /embed.html {
            add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";

            proxy_pass   http://funkwhale-front;
            expires 1d;
        }

        location /federation/ {
            include /etc/nginx/funkwhale_proxy.conf;
            proxy_pass   http://funkwhale-api;
        }

        # You can comment this if you do not plan to use the Subsonic API.
        location /rest/ {
            include /etc/nginx/funkwhale_proxy.conf;
            proxy_pass   http://funkwhale-api/api/subsonic/rest/;
        }

        location /.well-known/ {
            include /etc/nginx/funkwhale_proxy.conf;
            proxy_pass   http://funkwhale-api;
        }

        location /media/ {
            alias /protected/media/;
            add_header Access-Control-Allow-Origin '*';
        }

        # This is an internal location that is used to serve
        # media (uploaded) files once correct permission / authentication
        # has been checked on API side.
        # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
        # if you're storing media files in a S3 bucket.
        location ~ /_protected/media/(.+) {
            internal;
            alias   /protected/media/$1;                                        # NON-S3
            # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
#           proxy_set_header Authorization "";                                  # S3
#           proxy_pass $1;                                                      # S3
            add_header Access-Control-Allow-Origin '*';
        }

        location /_protected/music/ {
            # This is an internal location that is used to serve
            # local music files once correct permission / authentication
            # has been checked on API side.
            # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
            internal;
            alias   /music/;
            add_header Access-Control-Allow-Origin '*';
        }

        location /manifest.json {
            return 302 /api/v1/instance/spa-manifest.json;
        }
    }
}