novaburst/funquail
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

refactor(front/Docker): cleanup nginx-based container

Browse source
This commit is contained in:
JuniorJPDJ 2022-07-20 01:31:28 +02:00
commit 6df36f519a
4 changed files with 31 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

99
front/docker/funkwhale.conf.template Normal file
View file

@ -0,0 +1,99 @@
upstream funkwhale-api {
server ${FUNKWHALE_API_HOST}:${FUNKWHALE_API_PORT};
}
# Required for websocket support.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name ${FUNKWHALE_HOSTNAME};
root /usr/share/nginx/html;
# If you are using S3 to host your files, remember to add your S3 URL to the
# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
location / {
include /etc/nginx/funkwhale_proxy.conf;
# This is needed if you have file import via upload enabled.
client_max_body_size ${NGINX_MAX_BODY_SIZE};
proxy_pass http://funkwhale-api/;
}
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/";
alias /usr/share/nginx/html/;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location = /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "" always;
alias /usr/share/nginx/html/embed.html;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/federation/;
}
# You can comment this if you do not plan to use the Subsonic API.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/.well-known/;
}
location /media/ {
alias ${MEDIA_ROOT}/;
}
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
# Comment the "NON-S3" commented lines and uncomment "S3" commented lines
# if you're storing media files in a S3 bucket.
location /_protected/media/(.+) {
internal;
alias ${MEDIA_ROOT}/; # NON-S3
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
# proxy_set_header Authorization ""; # S3
# proxy_pass $1; # S3
}
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
internal;
alias ${MUSIC_DIRECTORY_PATH}/;
}
location /staticfiles/ {
# Django static files
alias ${STATIC_ROOT}/;
}
}