conf.dev 4.87 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

Eliot Berriot's avatar
Eliot Berriot committed
30
31
32
33
34
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

35
36
37
38
39
40
    upstream funkwhale-api {
        server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
    }
    upstream funkwhale-front {
        server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
    }
41
    server {
42
        listen 80;
43
        charset     utf-8;
44
        client_max_body_size 100M;
45
        include /etc/nginx/funkwhale_proxy.conf;
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
        # compression settings
        gzip on;
        gzip_comp_level    5;
        gzip_min_length    256;
        gzip_proxied       any;
        gzip_vary          on;

        gzip_types
            application/javascript
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
            text/x-cross-domain-policy;
71

72
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
73
        add_header Referrer-Policy "strict-origin-when-cross-origin";
74

75
        location /front/ {
76
77
78
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header X-Frame-Options "SAMEORIGIN";
79
80
81
            # uncomment the following line and comment the proxy-pass one
            # to use the frontend build with "yarn build"
            #alias /frontend/dist/;
82
            proxy_pass   http://funkwhale-front/front/;
83
        }
84
85
86
87
88
89
        location /front/embed.html {
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header X-Frame-Options "ALLOW";
            proxy_pass   http://funkwhale-front/front/embed.html;
        }
90
91
        location /front-server/ {
            proxy_pass   http://funkwhale-front/;
92
        }
93
94
95
        location /sockjs-node/ {
            proxy_pass   http://funkwhale-front/sockjs-node/;
        }
96

97
        location / {
98
            include /etc/nginx/funkwhale_proxy.conf;
99
100
101
            # this is needed if you have file import via upload enabled
            client_max_body_size ${NGINX_MAX_BODY_SIZE};
            proxy_pass   http://funkwhale-api/;
102
        }
103
104

        # You can comment this if you do not plan to use the Subsonic API
105
106
        location /rest/ {
            include /etc/nginx/funkwhale_proxy.conf;
107
108
109
110
111
112
113
            proxy_pass   http://funkwhale-api/api/subsonic/rest/;
        }

        location /media/ {
            alias /protected/media/;
        }

114
115
116
        # this is an internal location that is used to serve
        # audio files once correct permission / authentication
        # has been checked on API side
117
118
119
        location /_protected/media {
            internal;
            alias   /protected/media;
120

121
        }
122
123
124
125
126
        # Comment the previous location and uncomment this one if you're storing
        # media files in a S3 bucket
        # location ~ /_protected/media/(.+) {
        #     internal;
        #     resolver 127.0.0.11;
127
128
129
        #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
        #     proxy_set_header Authorization "";
        #     proxy_set_header X-Remote-URL "$1";
130
131
        #     proxy_pass $1;
        # }
132
133
134
135
136
137
138
139

        location /_protected/music {
            # this is an internal location that is used to serve
            # audio files once correct permission / authentication
            # has been checked on API side
            # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
            internal;
            alias   /music;
140
        }
141
142
143
        location /staticfiles/ {
            alias /staticfiles/;
        }
144
145
    }
}