From e82dda302fb38392aac915f10b8b0a6bc8369fe6 Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Thu, 3 Oct 2019 10:58:20 +0200
Subject: [PATCH] Fix #932: Updated docs to ensure streaming works when using
 Minio/S3 and DSub

---
 changes/changelog.d/932.bugfix   |  1 +
 changes/notes.rst                | 12 ++++++++++++
 deploy/docker.nginx.template     |  2 ++
 deploy/nginx.template            |  2 ++
 docker/nginx/conf.dev            |  4 +++-
 docs/admin/external-storages.rst | 13 ++++++++-----
 6 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 changes/changelog.d/932.bugfix

diff --git a/changes/changelog.d/932.bugfix b/changes/changelog.d/932.bugfix
new file mode 100644
index 000000000..76b7c40f4
--- /dev/null
+++ b/changes/changelog.d/932.bugfix
@@ -0,0 +1 @@
+Updated docs to ensure streaming works when using Minio/S3 and DSub (#932)
diff --git a/changes/notes.rst b/changes/notes.rst
index 4a9d1eddb..847764941 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -216,3 +216,15 @@ is applied to the corresponding user account. By default, anonymous requests get
 
 You can disable the rate-limiting feature by adding `THROTTLING_ENABLED=false` to your ``.env`` file and restarting the
 services. If you are using the Funkwhale API in your project or app and want to know more about the limits, please consult https://docs.funkwhale.audio/swagger/.
+
+Broken audio streaming when using S3/Minio and DSub [manual action required]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some Subsonic clients, such as DSub, are sending an Authorization headers which was forwarded
+to the S3 storage when streaming, causing some issues. If you are using S3 or a compatible storage
+such as Minio, please add the following in your nginx ``~ /_protected/media/(.+)`` location::
+
+    # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    proxy_set_header Authorization "";
+
+And reload your nginx process.
diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template
index d3a7fc9a6..ced42201a 100644
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -91,6 +91,8 @@ server {
     # media files in a S3 bucket
     # location ~ /_protected/media/(.+) {
     #     internal;
+    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    #     proxy_set_header Authorization "";
     #     proxy_pass $1;
     # }
 
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 1dc6de6da..32c9254e2 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -136,6 +136,8 @@ server {
     # media files in a S3 bucket
     # location ~ /_protected/media/(.+) {
     #     internal;
+    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    #     proxy_set_header Authorization "";
     #     proxy_pass $1;
     # }
 
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 95560b6d8..1807dc088 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -124,8 +124,10 @@ http {
         # location ~ /_protected/media/(.+) {
         #     internal;
         #     resolver 127.0.0.11;
+        #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+        #     proxy_set_header Authorization "";
+        #     proxy_set_header X-Remote-URL "$1";
         #     proxy_pass $1;
-        #     add_header X-Remote-URL "$1";
         # }
 
         location /_protected/music {
diff --git a/docs/admin/external-storages.rst b/docs/admin/external-storages.rst
index 45fed68ab..a986351e7 100644
--- a/docs/admin/external-storages.rst
+++ b/docs/admin/external-storages.rst
@@ -42,6 +42,8 @@ Replace the ``location /_protected/media`` block with the following::
 
     location ~ /_protected/media/(.+) {
         internal;
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+        proxy_set_header Authorization "";
         proxy_pass $1;
     }
 
@@ -77,9 +79,9 @@ This URL is actually be visible by the client, but contains a signature valid on
 no one can reuse this URL or share it publicly to distribute unauthorized content.
 
 .. note::
-   
+
    If you are using Amazon S3, you will need to set your ``AWS_S3_REGION_NAME`` in the ``.env`` file to
-   use this feature. 
+   use this feature.
 
 .. note::
 
@@ -142,9 +144,10 @@ in your ``funkwhale.template`` under the ``location ~/_protected/media/(.+)`` se
 .. code-block:: shell
 
     location ~ /_protected/media/(.+) {
-     resolver 1.1.1.1;
-     internal;
-     proxy_pass $1;
+        resolver 1.1.1.1;
+        internal;
+        proxy_set_header Authorization "";
+        proxy_pass $1;
     }
 
 No Images or Media Loading
-- 
GitLab