funkwhale/nginx.conf.tmpl

user www-data;

events {
  worker_connections 768;
}

http {
    include /etc/nginx/mime.types;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    upstream funkwhale-api {
        server {{ env "STACK_NAME" }}_api:5000;
    }

    server {
        listen 80;
        listen [::]:80;
        server_name {{ env "FUNKWHALE_HOSTNAME" }};

        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header X-Frame-Options "SAMEORIGIN" always;

        root /srv/funkwhale/front/dist/;

        gzip on;
        gzip_comp_level    5;
        gzip_min_length    256;
        gzip_proxied       any;
        gzip_vary          on;

        gzip_types
            application/javascript
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
            text/x-cross-domain-policy;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_redirect off;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            client_max_body_size 500M;
            proxy_pass   http://funkwhale-api/;
        }

        location /front/ {
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header Service-Worker-Allowed "/";
            alias /srv/funkwhale/front/dist/;
            expires 30d;
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location = /front/embed.html {
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
            add_header Referrer-Policy "strict-origin-when-cross-origin";

            add_header X-Frame-Options "" always;
            alias /srv/funkwhale/front/dist/embed.html;
            expires 30d;
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location /federation/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_redirect off;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_pass   http://funkwhale-api/federation/;
        }

        location /rest/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_redirect off;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_pass   http://funkwhale-api/api/subsonic/rest/;
        }

        location /.well-known/ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host:$server_port;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_redirect off;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_pass   http://funkwhale-api/.well-known/;
        }

        location /media/ {
            alias   /srv/funkwhale/data/media/;
        }

        location /_protected/media/ {
            # this is an internal location that is used to serve
            # audio files once correct permission / authentication
            # has been checked on API side
            internal;
            alias   /srv/funkwhale/data/media/;
        }

        # Comment the previous location and uncomment this one if you're storing
        # media files in a S3 bucket
        # location ~ /_protected/media/(.+) {
        #     internal;
        #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
        #     proxy_set_header Authorization "";
        #     proxy_pass $1;
        # }

        location /_protected/music/ {
            # this is an internal location that is used to serve
            # audio files once correct permission / authentication
            # has been checked on API side
            # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
            internal;
            alias   /srv/funkwhale/data/music;
        }

        location /staticfiles/ {
            alias /srv/funkwhale/data/static/;
        }
    }
}