docker.nginx.template 3.85 KB
Newer Older
1
upstream funkwhale-api {
Andrew Morgan's avatar
Andrew Morgan committed
2
    # depending on your setup, you may want to update this
3
    server api:5000;
4
5
}

Luclu7's avatar
Luclu7 committed
6

7
8
9
10
11
12
# required for websocket support
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

Luclu7's avatar
Luclu7 committed
13
server {
14
15
    listen 80;
    server_name ${FUNKWHALE_HOSTNAME};
16

Luclu7's avatar
Luclu7 committed
17
    # TLS
18
19
    # Feel free to use your own configuration for SSL here or simply remove the
    # lines and move the configuration to the previous server block if you
Reg's avatar
Typos    
Reg committed
20
    # don't want to run funkwhale behind https (this is not recommended)
21
22
    # have a look here for let's encrypt configuration:
    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
Luclu7's avatar
Luclu7 committed
23

24
    root /frontend;
25

26
27
28
    # If you are using S3 to host your files, remember to add your S3 URL to the
    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)

29
30
31
32
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";


33
    location / {
34
        include /etc/nginx/funkwhale_proxy.conf;
Eliot Berriot's avatar
Eliot Berriot committed
35
        # this is needed if you have file import via upload enabled
36
        client_max_body_size ${NGINX_MAX_BODY_SIZE};
37
38
39
40
        proxy_pass   http://funkwhale-api/;
    }

    location /front/ {
41
42
43
44
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

        add_header X-Frame-Options "ALLOW";
Eliot Berriot's avatar
Eliot Berriot committed
45
        alias /frontend/;
46
47
48
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
49
    }
50

51
52
53
54
55
56
57
58
59
60
61
    location /front/embed.html {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

        add_header X-Frame-Options "ALLOW";
        alias /frontend/embed.html;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

62
63
64
65
66
    location /federation/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/federation/;
    }

67
68
69
70
71
72
    # You can comment this if you do not plan to use the Subsonic API
    location /rest/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

73
    location /.well-known/ {
74
        include /etc/nginx/funkwhale_proxy.conf;
75
        proxy_pass   http://funkwhale-api/.well-known/;
76
77
    }

78
    location /media/ {
79
        alias ${MEDIA_ROOT}/;
80
    }
81

82
83
84
    # this is an internal location that is used to serve
    # audio files once correct permission / authentication
    # has been checked on API side
85
86
    location /_protected/media {
        internal;
87
        alias   ${MEDIA_ROOT};
88

89
    }
90
91
92
93
    # Comment the previous location and uncomment this one if you're storing
    # media files in a S3 bucket
    # location ~ /_protected/media/(.+) {
    #     internal;
94
95
    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
    #     proxy_set_header Authorization "";
96
97
    #     proxy_pass $1;
    # }
98

99
100
101
102
    location /_protected/music {
        # this is an internal location that is used to serve
        # audio files once correct permission / authentication
        # has been checked on API side
103
        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
104
        internal;
105
        alias   ${MUSIC_DIRECTORY_PATH};
106
107
    }

108
    location /staticfiles/ {
109
        # django static files
110
        alias ${STATIC_ROOT}/;
111
112
    }
}