diff --git a/conf/nginx.conf b/conf/nginx.conf index e01ed0f..6b33ec6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,6 +1,6 @@ -root __INSTALL_DIR__/front/dist; +root __INSTALL_DIR__/front; -location / { +location /api/ { # global proxy conf proxy_set_header Host $host; @@ -18,29 +18,21 @@ location / { # this is needed if you have file import via upload enabled client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__/; + proxy_pass http://127.0.0.1:__PORT__; } -location /front/ { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - more_set_headers "Service-Worker-Allowed: /"; - more_set_headers "X-Frame-Options: SAMEORIGIN"; - alias __INSTALL_DIR__/front/dist/; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; +location / { + alias __INSTALL_DIR__/front/; + expires 1d; + try_files $uri $uri/ /index.html; } -location /front/embed.html { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; +location /embed.html { + add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; - more_set_headers "X-Frame-Options: ALLOW"; - alias __INSTALL_DIR__/front/dist/embed.html; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; + alias __INSTALL_DIR__/front/embed.html; + expires 1d; } location /federation/ { @@ -98,33 +90,32 @@ location /.well-known/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:__PORT__/.well-known/; + proxy_pass http://127.0.0.1:__PORT__; } location /media/__sized__/ { alias __DATA_DIR__/data/media/__sized__/; + add_header Acces-Control-Allow-Origin '*'; } location /media/attachments/ { alias __DATA_DIR__/data/media/attachments/; + add_header Access-Control-Allow-Origin '*'; } -location /_protected/media/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - internal; - alias __DATA_DIR__/data/media/; -} - -# Comment the previous location and uncomment this one if you're storing -# media files in a S3 bucket -# location ~ /_protected/media/(.+) { -# internal; -# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 -# proxy_set_header Authorization ""; -# proxy_pass $1; -# } + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + #location ~ /_protected/media/(.+) { + # internal; + # alias ${MEDIA_ROOT}/$1; # NON-S3 + # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. +# proxy_set_header Authorization ""; # S3 +# proxy_pass $1; # S3 + # add_header Access-Control-Allow-Origin '*'; + #} location /_protected/music/ { # this is an internal location that is used to serve @@ -133,9 +124,9 @@ location /_protected/music/ { # Set this to the same value as your MUSIC_DIRECTORY_PATH setting internal; alias __DATA_DIR__/data/music/; + add_header Access-Control-Allow-Origin '*'; } -location /staticfiles/ { - # django static files - alias __DATA_DIR__/data/static/; +location /manifest.json { + return 302 /api/v1/instance/spa-manifest.json; }