feat(nginx): Generate configs using a template

Part-of: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/merge_requests/2547>
2023-08-01 13:31:51 +02:00 · 2023-08-01 13:31:51 +02:00 · 88d7bdb8ab
commit 88d7bdb8ab
parent abf1306e2f
7 changed files with 362 additions and 63 deletions
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@ -1,6 +1,9 @@
+
 upstream funkwhale-api {
+    # depending on your setup, you may want to update this
    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }
+
 upstream funkwhale-front {
    server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
 }
@ -11,17 +14,18 @@ map $http_upgrade $connection_upgrade {
    ''      close;
 }

+
 server {
    listen      80;
    listen [::]:80;
-    charset     utf-8;
-    client_max_body_size ${NGINX_MAX_BODY_SIZE};
-    include /etc/nginx/funkwhale_proxy.conf;

-    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
-    add_header Referrer-Policy "strict-origin-when-cross-origin";
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header Service-Worker-Allowed "/";
+    server_name _;
+
+
+    # General configs
+    root /usr/share/nginx/html;
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -29,7 +33,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -50,6 +53,12 @@ server {
        text/x-cross-domain-policy;
    # end of compression settings

+    # headers
+    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";
+
    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
@ -58,15 +67,15 @@ server {
    }

    location / {
-        proxy_pass   http://funkwhale-front;
        expires 1d;
+        proxy_pass http://funkwhale-front;
    }

    location = /embed.html {
+        proxy_pass http://funkwhale-front;
        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        proxy_pass   http://funkwhale-front;
        expires 1d;
    }

@ -81,14 +90,6 @@ server {
        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

-    location /media/__sized__/ {
-        alias /protected/media/__sized__/;
-    }
-
-    location /media/attachments/ {
-        alias /protected/media/attachments/;
-    }
-
    location /.well-known/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api;
@ -96,13 +97,13 @@ server {

    # Allow direct access to only specific subdirectories in /media
    location /media/__sized__/ {
-        alias /protected/media/__sized__/;
+        alias ${MEDIA_ROOT}/__sized__/;
        add_header Access-Control-Allow-Origin '*';
    }

    # Allow direct access to only specific subdirectories in /media
    location /media/attachments/ {
-        alias /protected/media/attachments/;
+        alias ${MEDIA_ROOT}/attachments/;
        add_header Access-Control-Allow-Origin '*';
    }

@ -119,10 +120,10 @@ server {
    # if you're storing media files in a S3 bucket.
    location ~ /_protected/media/(.+) {
        internal;
-        alias   /protected/media/$1;                                        # NON-S3
+        alias   ${MEDIA_ROOT}/$1;                                           # NON-S3
        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
-#           proxy_set_header Authorization "";                                  # S3
-#           proxy_pass $1;                                                      # S3
+#       proxy_set_header Authorization "";                                  # S3
+#       proxy_pass $1;                                                      # S3
        add_header Access-Control-Allow-Origin '*';
    }

@ -132,7 +133,7 @@ server {
        # has been checked on API side.
        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
        internal;
-        alias   /music/;
+        alias   ${MUSIC_DIRECTORY_PATH}/;
        add_header Access-Control-Allow-Origin '*';
    }

@ -142,7 +143,6 @@ server {
    }

    location /staticfiles/ {
-        alias /staticfiles/;
+        alias /usr/share/nginx/html/staticfiles/;
    }
-
 }