Skip to content
Snippets Groups Projects
Select Git revision
  • 1425-remove-raven-sentry
  • develop default protected
  • set-sast-config-1
  • master
  • tracemallocmiddleware
  • 1299-encoding-problem-in-rss-feeds
  • 1346-selectoreventloop-required-instead-got-uvloop-loop
  • 1278-embed-isn-t-available-in-the-front-end-for-channel-tracks
  • 1311-feedparser-requires-update-to-accomodate-python-3-9
  • 1.0.1
  • 1121-download
  • plugins-v3
  • plugins-v2
  • plugins
  • 1.1.1
  • 1.1
  • 1.1-rc2
  • 1.1-rc1
  • 1.0.1
  • 1.0
  • 1.0-rc1
  • 0.21.2
  • 0.21.1
  • 0.21
  • 0.21-rc2
  • 0.21-rc1
  • 0.20.1
  • 0.20.0
  • 0.20.0-rc1
  • 0.19.1
  • 0.19.0
  • 0.19.0-rc2
  • 0.19.0-rc1
  • 0.18.3
34 results
Blame History Permalink
Forked from funkwhale / funkwhale
5537 commits behind the upstream repository.
external-storages.rst 3.13 KiB

Using external storages to store Funkwhale content

By default, Funkwhale will store user-uploaded and related media such as audio files, transcoded files, avatars and album covers on a server directory.

However, for bigger instances or more complex deployment scenarios, you may want to use distributed or external storages.

S3 and S3-compatible servers

Note

This feature was released in Funkwhale 0.19 and is still considered experimental. Please let us know if you see anything unusual while using it.

Funkwhale supports storing media files Amazon S3 and compatible implementations such as Minio or Wasabi.

In this scenario, the content itself is stored in the S3 bucket. Non-sensitive media such as album covers or user avatars are served directly from the bucket. However, audio files are still served by the reverse proxy, to enforce proper authentication.

To enable S3 on Funkwhale, add the following environment variables:

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_STORAGE_BUCKET_NAME=
# An optional bucket subdirectory were you want to store the files. This is especially useful
# if you plan to use share the bucket with other services
# AWS_LOCATION=

# If you use a S3-compatible storage such as minio, set the following variable
# the full URL to the storage server. Example:
#   AWS_S3_ENDPOINT_URL=https://minio.mydomain.com
# AWS_S3_ENDPOINT_URL=

Then, edit your nginx configuration. On docker setups, the file is located at /srv/funkwhale/nginx/funkwhale.template, and at /etc/nginx/sites-available/funkwhale.template on non-docker setups.

Replace the location /_protected/media block with the following:

location ~ /_protected/media/(.+) {
    internal;
    proxy_pass $1;
}

Then restart Funkwhale and nginx.

From now on, media files will be stored on the S3 bucket you configured. If you already had media files before configuring the S3 bucket, you also have to move those on the bucket by hand (which is outside the scope of this guide).

Note

At the moment, we do not support S3 when using Apache as a reverse proxy.

Securing your S3 bucket

It's important to ensure your the root of your bucket doesn't list its content, which is the default on many S3 servers. Otherwise, anyone could find out the true URLs of your audio files and bypass authentication.

To avoid that, you can set the following policy on your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Principal": {
            "AWS": [
            "*"
            ]
        },
        "Resource": [
            "arn:aws:s3:::<yourbucketname>/*"
        ],
        "Sid": "Public"
        }
    ]
}

If you are using awscli, you can store this policy in a /tmp/policy file, and apply it using the following command:

aws s3api put-bucket-policy --bucket <yourbucketname> --policy file:///tmp/policy