Fix #358: dockerized nginx to make deployment easier

2018-08-31 17:21:46 +00:00 · 2018-08-31 17:21:46 +00:00 · 0740cc33e5
commit 0740cc33e5
parent 6940d411d7
11 changed files with 373 additions and 41 deletions
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@ -0,0 +1,101 @@
+# This file was generated from funkwhale.template
+
+upstream funkwhale-api {
+    # depending on your setup, you may want to udpate this
+    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    # update this to match your instance name
+    server_name ${FUNKWHALE_HOSTNAME};
+    # useful for Let's Encrypt
+    location /.well-known/acme-challenge/ { allow all; }
+    location / { return 301 https://$host$request_uri; }
+}
+
+# required for websocket support
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${FUNKWHALE_HOSTNAME};
+
+    # TLS
+    # Feel free to use your own configuration for SSL here or simply remove the
+    # lines and move the configuration to the previous server block if you
+    # don't want to run funkwhale behind https (this is not recommended)
+    # have a look here for let's encrypt configuration:
+    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem;
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
+    root ${FUNKWHALE_FRONTEND_PATH};
+
+    location / {
+        try_files $uri $uri/ @rewrites;
+    }
+
+    location @rewrites {
+        rewrite ^(.+)$ /index.html last;
+    }
+    location /api/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        # this is needed if you have file import via upload enabled
+        client_max_body_size ${NGINX_MAX_BODY_SIZE};
+        proxy_pass   http://funkwhale-api/api/;
+    }
+
+    location /federation/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/federation/;
+    }
+
+    # You can comment this if you do not plan to use the Subsonic API
+    location /rest/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
+    }
+
+    location /.well-known/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/.well-known/;
+    }
+
+    location /media/ {
+        alias ${MEDIA_ROOT}/;
+    }
+
+    location /_protected/media {
+        # this is an internal location that is used to serve
+        # audio files once correct permission / authentication
+        # has been checked on API side
+        internal;
+        alias   ${MEDIA_ROOT};
+    }
+
+    location /_protected/music {
+        # this is an internal location that is used to serve
+        # audio files once correct permission / authentication
+        # has been checked on API side
+        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
+        internal;
+        alias   ${MUSIC_DIRECTORY_SERVE_PATH};
+    }
+
+    location /staticfiles/ {
+        # django static files
+        alias ${STATIC_ROOT}/;
+    }
+}