feat(nginx): Generate configs using a template

Part-of: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/merge_requests/2547>
2023-08-01 13:31:51 +02:00 · 2023-08-01 13:31:51 +02:00 · 88d7bdb8ab
commit 88d7bdb8ab
parent abf1306e2f
7 changed files with 362 additions and 63 deletions
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@ -1,7 +1,8 @@
 upstream fw {
-    # depending on your setup, you may want to update this
    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }
+
+# Required for websocket support.
 map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
@ -10,15 +11,31 @@ map $http_upgrade $connection_upgrade {
 server {
    listen 80;
    listen [::]:80;
+    # update this to match your instance name
    server_name ${FUNKWHALE_HOSTNAME};
-    location / { return 301 https://$host$request_uri; }
+
+    # useful for Let's Encrypt
+    location /.well-known/acme-challenge/ {
+        allow all;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
+
 server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
+
    server_name ${FUNKWHALE_HOSTNAME};

    # TLS
+    # Feel free to use your own configuration for SSL here or simply remove the
+    # lines and move the configuration to the previous server block if you
+    # don't want to run funkwhale behind https (this is not recommended)
+    # have a look here for let's encrypt configuration:
+    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
@ -29,12 +46,10 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

-    # Security related headers

-    # If you are using S3 to host your files, remember to add your S3 URL to the
-    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
-
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    # General configs
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -42,7 +57,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -61,10 +75,13 @@ server {
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
+    # end of compression settings
+
+

    location / {
-        include /etc/nginx/funkwhale_proxy.conf;
-        client_max_body_size ${NGINX_MAX_BODY_SIZE};
-        proxy_pass   http://fw;
+        expires 1d;
+        proxy_pass http://fw
    }
+
 }