diff --git a/conf/funkwhale_proxy.conf b/conf/funkwhale_proxy.conf new file mode 100644 index 0000000..1f091b4 --- /dev/null +++ b/conf/funkwhale_proxy.conf @@ -0,0 +1,13 @@ +# global proxy conf +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Port $server_port; +proxy_redirect off; + +# websocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; diff --git a/conf/nginx.conf b/conf/nginx.conf index 715112d..9224618 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,144 +1,150 @@ -root __INSTALL_DIR__/front/dist; -location /api/ { + # HSTS + add_header Strict-Transport-Security "max-age=31536000"; - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; + # General configs + root ${FUNKWHALE_FRONTEND_PATH}; + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + charset utf-8; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + # compression settings + gzip on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/javascript + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # end of compression settings - # this is needed if you have file import via upload enabled - client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__; -} + # headers + add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Service-Worker-Allowed "/"; -location / { - alias __INSTALL_DIR__/front/dist/; - expires 1d; - try_files $uri $uri/ /index.html; -} - -location /embed.html { - more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - - alias __INSTALL_DIR__/front/dist/embed.html; - expires 1d; -} - -location /federation/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/federation/; -} - -# You can comment this if you do not plan to use the Subsonic API -location /rest/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; -} - -location /.well-known/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__; -} - -location /media/__sized__/ { - alias __DATA_DIR__/data/media/__sized__/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -location /media/attachments/ { - alias __DATA_DIR__/data/media/attachments/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -# This is an internal location that is used to serve -# media (uploaded) files once correct permission / authentication -# has been checked on API side. -# Comment the "NON-S3" commented lines and uncomment "S3" commented lines -# if you're storing media files in a S3 bucket. -location /_protected/media/ { - internal; - alias __DATA_DIR__/data/media/$1; # NON-S3 -# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. -# proxy_set_header Authorization ""; # S3 -# proxy_pass $1; # S3 - more_set_headers "Access-Control-Allow-Origin: *"; + location /api/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + # This is needed if you have file import via upload enabled. + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + proxy_pass http://127.0.0.1:__PORT__; } -location /_protected/music/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - # Set this to the same value as your MUSIC_DIRECTORY_PATH setting - internal; - alias __DATA_DIR__/data/music/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/library/(albums|tracks|artists|playlists)/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to /staticfiles -location /staticfiles/ { - alias __DATA_DIR__/data/static/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location /channels/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to only specific subdirectories in /media -location /media/dynamic_preferences/ { - alias __DATA_DIR__/data/media/dynamic_preferences/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/@(vite-plugin-pwa|vite|id)/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + alias ${FUNKWHALE_FRONTEND_PATH}/; + try_files $uri $uri/ /index.html; + } -location /manifest.json { - return 302 /api/v1/instance/spa-manifest.json; -} + location /@ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + location / { + expires 1d; + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + alias ${FUNKWHALE_FRONTEND_PATH}/; + try_files $uri $uri/ /index.html; + } + + location ~ "/(front/)?embed.html" { + alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; + add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + expires 1d; + } + + location /federation/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # You can comment this if you do not plan to use the Subsonic API. + location /rest/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; + } + + location /.well-known/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # Allow direct access to only specific subdirectories in /media + location /media/__sized__/ { + alias ${MEDIA_ROOT}/__sized__/; + add_header Access-Control-Allow-Origin '*'; + } + + # Allow direct access to only specific subdirectories in /media + location /media/attachments/ { + alias ${MEDIA_ROOT}/attachments/; + add_header Access-Control-Allow-Origin '*'; + } + + # Allow direct access to only specific subdirectories in /media + location /media/dynamic_preferences/ { + alias ${MEDIA_ROOT}/dynamic_preferences/; + add_header Access-Control-Allow-Origin '*'; + } + + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + location ~ /_protected/media/(.+) { + internal; + alias ${MEDIA_ROOT}/$1; # NON-S3 + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. +# proxy_set_header Authorization ""; # S3 +# proxy_pass $1; # S3 + add_header Access-Control-Allow-Origin '*'; + } + + location /_protected/music/ { + # This is an internal location that is used to serve + # local music files once correct permission / authentication + # has been checked on API side. + # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. + internal; + alias ${MUSIC_DIRECTORY_PATH}/; + add_header Access-Control-Allow-Origin '*'; + } + + location /manifest.json { + # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL + return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; + } + + location /staticfiles/ { + alias ${STATIC_ROOT}/; + } \ No newline at end of file diff --git a/scripts/backup b/scripts/backup index 13fa6d1..ed8efd6 100644 --- a/scripts/backup +++ b/scripts/backup @@ -31,7 +31,7 @@ ynh_backup --src_path="$data_dir" --is_big # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_backup --src_path="/etc/nginx/conf.d/$domain.d" #================================================= # BACKUP FAIL2BAN CONFIGURATION diff --git a/scripts/install b/scripts/install index e850264..8390cc4 100644 --- a/scripts/install +++ b/scripts/install @@ -33,6 +33,7 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated NGINX config ynh_add_nginx_config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # SPECIFIC SETUP diff --git a/scripts/remove b/scripts/remove index e2c549b..42e9981 100644 --- a/scripts/remove +++ b/scripts/remove @@ -57,6 +57,7 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # REMOVE LOGS diff --git a/scripts/restore b/scripts/restore index a92c9cd..af8f55a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,7 +39,7 @@ chown -R $app:www-data "$data_dir/" #================================================= ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d" #================================================= # RESTORE THE POSTGRESQL DATABASE diff --git a/scripts/upgrade b/scripts/upgrade index cd7eb2d..d233229 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -50,6 +50,7 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # Assure correct permissions to $data_dir