Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
A
ansible
Manage
Activity
Members
Labels
Plan
Issues
13
Issue boards
Milestones
Wiki
Code
Merge requests
1
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
funkwhale
ansible
Commits
304aa98f
Unverified
Commit
304aa98f
authored
1 year ago
by
mal
Browse files
Options
Downloads
Patches
Plain Diff
rebase nginx configs for 1.3.0
parent
d45a7bde
No related branches found
Branches containing commit
No related tags found
1 merge request
!38
Rebase nginx configs for Funkwhale v1.3.0
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
defaults/main.yml
+1
-1
1 addition, 1 deletion
defaults/main.yml
templates/funkwhale_proxy.conf.j2
+5
-4
5 additions, 4 deletions
templates/funkwhale_proxy.conf.j2
templates/nginx.conf.j2
+104
-48
104 additions, 48 deletions
templates/nginx.conf.j2
with
110 additions
and
53 deletions
defaults/main.yml
+
1
−
1
View file @
304aa98f
...
@@ -40,7 +40,7 @@ funkwhale_letsencrypt_certbot_flags:
...
@@ -40,7 +40,7 @@ funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled
:
true
funkwhale_letsencrypt_enabled
:
true
funkwhale_letsencrypt_skip_cert
:
false
funkwhale_letsencrypt_skip_cert
:
false
funkwhale_nginx_csp_policy
:
"
default-src
'self';
script-src
'self';
style-src
'self'
'unsafe-inline';
img-src
'self'
data:;
font-src
'self'
data:;
object-src
'none';
media-src
'self'
data:
"
funkwhale_nginx_csp_policy
:
"
default-src
'self';
connect-src
https:
wss:
http:
ws:
'self'
'unsafe-eval';
script-src
'self'
'wasm-unsafe-eval';
style-src
https:
http:
'self'
'unsafe-inline';
img-src
https:
http:
'self'
data:;
font-src
https:
http:
'self'
data:;
media-src
https:
http:
'self'
data:;
object-src
'none'
"
funkwhale_redis_managed
:
true
funkwhale_redis_managed
:
true
funkwhale_api_ip
:
127.0.0.1
funkwhale_api_ip
:
127.0.0.1
funkwhale_api_port
:
5000
funkwhale_api_port
:
5000
...
...
This diff is collapsed.
Click to expand it.
templates/funkwhale_proxy.conf.j2
+
5
−
4
View file @
304aa98f
# global proxy conf
# global proxy conf
proxy_set_header Host $host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $
scheme
;
proxy_set_header X-Forwarded-Proto $
http_x_forwarded_proto
;
{% if not funkwhale_nginx_tls_termination -%}
{% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Host $h
ost:$server_por
t;
proxy_set_header X-Forwarded-Host $h
ttp_x_forwarded_hos
t;
proxy_set_header X-Forwarded-Port $
server
_port;
proxy_set_header X-Forwarded-Port $
http_x_forwarded
_port;
proxy_redirect off;
proxy_redirect off;
{% endif -%}
{% endif -%}
# websocket support
# websocket support
proxy_http_version 1.1;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection
"
upgrade
"
;
proxy_set_header Connection
$funkwhale_connection_
upgrade;
This diff is collapsed.
Click to expand it.
templates/nginx.conf.j2
+
104
−
48
View file @
304aa98f
# {{ ansible_managed }}
# {{ ansible_managed }}
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
upstream funkwhale-api {
server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
}
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_nginx_tls_termination -%}
server {
server {
listen 80;
listen 80;
listen [::]:80;
listen [::]:80;
server_name {{ funkwhale_hostname }};
server_name {{ funkwhale_hostname }};
location / { return 301 https://$host$request_uri; }
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
}
location / {
return 301 https://$host$request_uri;
}
}
}
{% endif -%}
{% endif -%}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
default upgrade;
'' close;
}
server {
server {
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
charset utf-8;
server_name {{ funkwhale_hostname }};
server_name {{ funkwhale_hostname }};
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
{% if funkwhale_ssl_key_path -%}
...
@@ -19,25 +41,37 @@ server {
...
@@ -19,25 +41,37 @@ server {
{% else -%}
{% else -%}
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%}
{% endif -%} {# funkwhale_ssl_key_path #}
{% if funkwhale_nginx_tls_configure_ciphers -%}
{% if funkwhale_nginx_tls_configure_ciphers -%}
#
from https://cipherli.st/
#
Many of these are overridden by matching settings outside of any server{} block!
ssl_prefer_server_ciphers on;
# https://github.com/mozilla/ssl-config-generator/issues/76
ssl_
ciphers EECDH+AESGCM:EDH+AESGCM
;
ssl_
ecdh_curve X25519:prime256v1:secp384r1
;
ssl_ecdh_curve secp384r1;
# https://ssl-config.mozilla.org/#server=nginx&config=modern
ssl_session_timeout
10m
;
ssl_session_timeout
1d
;
ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_verify on;
{% endif -%}
{% if ansible_os_family in ["Debian", "Archlinux"] -%}
add_header Strict-Transport-Security "max-age=63072000; preload";
ssl_trusted_certificates /etc/ssl/certs/ca-certificates.crt;
{% endif -%}
{% elif ansible_os_family in ["RedHat"] -%}
ssl_trusted_certificates /etc/ssl/certs/ca-bundle.crt;
{% else -%} {# Missing: Suse, Gentoo, Mandrake #}
# Please set ssl_trusted_certificates using funkwhale_nginx_additional_config and open an issue
{% endif -%} {# ansible_os_family #}
{% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
add_header Strict-Transport-Security "max-age=31536000" always;
{% endif -%} {# funkwhale_nginx_tls_termination #}
{% if funkwhale_nginx_csp_policy -%}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
{% endif -%}
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root {{ funkwhale_frontend_path }};
root {{ funkwhale_frontend_path }};
...
@@ -72,79 +106,101 @@ server {
...
@@ -72,79 +106,101 @@ server {
{% endif -%}
{% endif -%}
# end of compression settings
# end of compression settings
location / {
location /
api/
{
include /etc/nginx/funkwhale_proxy.conf;
include /etc/nginx/funkwhale_proxy.conf;
#
t
his is needed if you have file import via upload enabled
#
T
his is needed if you have file import via upload enabled
.
client_max_body_size {{ funkwhale_nginx_max_body_size }};
client_max_body_size {{ funkwhale_nginx_max_body_size }};
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/;
proxy_pass http://funkwhale-api;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
}
{% endif -%}
location /
front/
{
location / {
alias {{ funkwhale_frontend_path }}/;
alias {{ funkwhale_frontend_path }}/;
expires
30
d;
expires
1
d;
add_header Pragma public;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Service-Worker-Allowed "/";
add_header Service-Worker-Allowed "/";
try_files $uri $uri/ /index.html;
}
location ~ "/(front/)?embed.html" {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias {{ funkwhale_frontend_path }}/embed.html;
expires 1d;
}
}
location /federation/ {
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_api_ip }}:{{ funkwhale_api_port }}/federation/
;
proxy_pass http://funkwhale
-api
;
}
}
# You can comment this if you do not plan to use the Subsonic API
# You can comment this if you do not plan to use the Subsonic API
.
location /rest/ {
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_api_ip }}:{{ funkwhale_api_port }}
/api/subsonic/rest/;
proxy_pass http://funkwhale
-api
/api/subsonic/rest/;
}
}
location /.well-known/ {
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_
api
_ip }}:{{ funkwhale_api_port }}/.well-known/
;
proxy_pass http://funkwhale
-
api;
}
}
location /media/ {
# Allow direct access to only specific subdirectories in /media
alias {{ funkwhale_media_path }}/;
location /media/__sized__/ {
alias {{ funkwhale_media_path }}/__sized__/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/attachments/ {
alias {{ funkwhale_media_path }}/attachments/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/dynamic_preferences/ {
alias {{ funkwhale_media_path }}/dynamic_preferences/;
add_header Access-Control-Allow-Origin '*';
}
}
{% if funkwhale_external_storage_enabled -%}
{% if funkwhale_external_storage_enabled -%}
# Comment the previous location and uncomment this one if you're storing
# This is an internal location that is used to serve
# media files in a S3 bucket
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
location ~ /_protected/media/(.+) {
location ~ /_protected/media/(.+) {
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
proxy_set_header Authorization "";
internal;
internal;
proxy_pass $1;
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
proxy_set_header Authorization ""; # S3
proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
}
{% else -%}
{% else -%}
location /_protected/media {
location /_protected/media/ {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
internal;
internal;
alias {{ funkwhale_media_path }};
alias {{ funkwhale_media_path }}/;
add_header Access-Control-Allow-Origin '*';
}
}
{% endif %}
{% endif %}
location /_protected/music {
location /_protected/music/ {
# this is an internal location that is used to serve
# This is an internal location that is used to serve
# audio files once correct permission / authentication
# local music files once correct permission / authentication
# has been checked on API side
# has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
internal;
internal;
alias {{ funkwhale_music_path }};
alias {{ funkwhale_music_path }}/;
add_header Access-Control-Allow-Origin '*';
}
}
location /staticfiles/ {
location /manifest.json {
# django static files
return 302 /api/v1/instance/spa-manifest.json;
alias {{ funkwhale_static_path }}/;
}
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
{{ funkwhale_nginx_additional_config }}
{{ funkwhale_nginx_additional_config }}
}
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment