From 88dd43dcb6ec870229bd6cdc07bc1768cd61dd70 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Tue, 31 Oct 2023 14:12:19 +0000 Subject: [PATCH 01/16] Auto-update README --- README.md | 1 + README_fr.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 82f6c61..9989bf8 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ Funkwhale is a community-driven project that lets you listen and share music and * Official user documentation: * Official admin documentation: * Upstream app code repository: +* YunoHost Store: * Report a bug: ## Developer info diff --git a/README_fr.md b/README_fr.md index 9e94a3c..68fc0b8 100644 --- a/README_fr.md +++ b/README_fr.md @@ -32,6 +32,7 @@ Funkwhale est un projet communautaire qui vous permet d'écouter et de partager * Documentation officielle utilisateur : * Documentation officielle de l’admin : * Dépôt de code officiel de l’app : +* YunoHost Store: * Signaler un bug : ## Informations pour les développeurs From 5b5451b3845795554b442d2c9202a3115b1c65e3 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 14:03:02 +0100 Subject: [PATCH 02/16] init upgrade to 1.4.0 --- manifest.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifest.toml b/manifest.toml index a478ab8..9e5dc8b 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Funkwhale" description.en = "Convivial and modern music server" description.fr = "Serveur de musique moderne et convivial" -version = "1.3.4~ynh1" +version = "1.4.0~ynh1" maintainers = ["Thovi98"] @@ -44,14 +44,14 @@ ram.runtime = "50M" [resources] [resources.sources] [resources.sources.api] - url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.3.4/download?job=build_api" + url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_api" sha256 = "8a05e3cab5c698cb89a23e1cd8b95c0e0ce2a2bea1580e1ec59364a07a870cd5" in_subdir = true extract = true format = "zip" [resources.sources.front] - url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.3.4/download?job=build_front" + url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_front" sha256 = "fbf0d25153dd16f9c9a70e6bb2b15238a091a9acb36fc1dc2e2766f761f2a17c" in_subdir = true extract = true From 837ffd87afc0f11b1bcc6dd0514c2111b44bf472 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 13 Dec 2023 13:03:05 +0000 Subject: [PATCH 03/16] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8472a5c..0a8b29a 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Funkwhale is a community-driven project that lets you listen and share music and audio within a decentralized, open network. -**Shipped version:** 1.3.4~ynh1 +**Shipped version:** 1.4.0~ynh1 **Demo:** https://demo.funkwhale.audio diff --git a/README_fr.md b/README_fr.md index 88ba9cc..90cba06 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Funkwhale est un projet communautaire qui vous permet d'écouter et de partager de la musique et de l'audio au sein d'un réseau ouvert et décentralisé. -**Version incluse :** 1.3.4~ynh1 +**Version incluse :** 1.4.0~ynh1 **Démo :** https://demo.funkwhale.audio From 897b959805087158629c08cc110182f04d778cc2 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 14:18:18 +0100 Subject: [PATCH 04/16] Update SHA sum for api --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 9e5dc8b..0e17214 100644 --- a/manifest.toml +++ b/manifest.toml @@ -45,7 +45,7 @@ ram.runtime = "50M" [resources.sources] [resources.sources.api] url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_api" - sha256 = "8a05e3cab5c698cb89a23e1cd8b95c0e0ce2a2bea1580e1ec59364a07a870cd5" + sha256 = "e1c3d49da0e03545ff96f584d7c437fa333d7836b1a70c54b31ba5db3e1a2ae1" in_subdir = true extract = true format = "zip" From 2184b8797f36d04cd7bb756fce4e87afb98f82f7 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 14:36:16 +0100 Subject: [PATCH 05/16] Update SHA sum for front --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 0e17214..e2e9462 100644 --- a/manifest.toml +++ b/manifest.toml @@ -52,7 +52,7 @@ ram.runtime = "50M" [resources.sources.front] url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_front" - sha256 = "fbf0d25153dd16f9c9a70e6bb2b15238a091a9acb36fc1dc2e2766f761f2a17c" + sha256 = "d0429566bcc3fa395b9c54b16b939bbc86009c174929910de345db149d3e9d6d" in_subdir = true extract = true format = "zip" From 07a3bb7bcf707335771bdf7702052d9484a6c4a8 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 19:35:20 +0100 Subject: [PATCH 06/16] upgrade nginx --- conf/funkwhale_proxy.conf | 13 ++ conf/nginx.conf | 274 +++++++++++++++++++------------------- scripts/backup | 2 +- scripts/install | 1 + scripts/remove | 1 + scripts/restore | 2 +- scripts/upgrade | 1 + 7 files changed, 158 insertions(+), 136 deletions(-) create mode 100644 conf/funkwhale_proxy.conf diff --git a/conf/funkwhale_proxy.conf b/conf/funkwhale_proxy.conf new file mode 100644 index 0000000..1f091b4 --- /dev/null +++ b/conf/funkwhale_proxy.conf @@ -0,0 +1,13 @@ +# global proxy conf +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Port $server_port; +proxy_redirect off; + +# websocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; diff --git a/conf/nginx.conf b/conf/nginx.conf index 715112d..9224618 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,144 +1,150 @@ -root __INSTALL_DIR__/front/dist; -location /api/ { + # HSTS + add_header Strict-Transport-Security "max-age=31536000"; - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; + # General configs + root ${FUNKWHALE_FRONTEND_PATH}; + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + charset utf-8; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + # compression settings + gzip on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/javascript + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # end of compression settings - # this is needed if you have file import via upload enabled - client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__; -} + # headers + add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Service-Worker-Allowed "/"; -location / { - alias __INSTALL_DIR__/front/dist/; - expires 1d; - try_files $uri $uri/ /index.html; -} - -location /embed.html { - more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - - alias __INSTALL_DIR__/front/dist/embed.html; - expires 1d; -} - -location /federation/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/federation/; -} - -# You can comment this if you do not plan to use the Subsonic API -location /rest/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; -} - -location /.well-known/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__; -} - -location /media/__sized__/ { - alias __DATA_DIR__/data/media/__sized__/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -location /media/attachments/ { - alias __DATA_DIR__/data/media/attachments/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -# This is an internal location that is used to serve -# media (uploaded) files once correct permission / authentication -# has been checked on API side. -# Comment the "NON-S3" commented lines and uncomment "S3" commented lines -# if you're storing media files in a S3 bucket. -location /_protected/media/ { - internal; - alias __DATA_DIR__/data/media/$1; # NON-S3 -# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. -# proxy_set_header Authorization ""; # S3 -# proxy_pass $1; # S3 - more_set_headers "Access-Control-Allow-Origin: *"; + location /api/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + # This is needed if you have file import via upload enabled. + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + proxy_pass http://127.0.0.1:__PORT__; } -location /_protected/music/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - # Set this to the same value as your MUSIC_DIRECTORY_PATH setting - internal; - alias __DATA_DIR__/data/music/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/library/(albums|tracks|artists|playlists)/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to /staticfiles -location /staticfiles/ { - alias __DATA_DIR__/data/static/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location /channels/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to only specific subdirectories in /media -location /media/dynamic_preferences/ { - alias __DATA_DIR__/data/media/dynamic_preferences/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/@(vite-plugin-pwa|vite|id)/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + alias ${FUNKWHALE_FRONTEND_PATH}/; + try_files $uri $uri/ /index.html; + } -location /manifest.json { - return 302 /api/v1/instance/spa-manifest.json; -} + location /@ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + location / { + expires 1d; + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + alias ${FUNKWHALE_FRONTEND_PATH}/; + try_files $uri $uri/ /index.html; + } + + location ~ "/(front/)?embed.html" { + alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; + add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + expires 1d; + } + + location /federation/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # You can comment this if you do not plan to use the Subsonic API. + location /rest/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; + } + + location /.well-known/ { + include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # Allow direct access to only specific subdirectories in /media + location /media/__sized__/ { + alias ${MEDIA_ROOT}/__sized__/; + add_header Access-Control-Allow-Origin '*'; + } + + # Allow direct access to only specific subdirectories in /media + location /media/attachments/ { + alias ${MEDIA_ROOT}/attachments/; + add_header Access-Control-Allow-Origin '*'; + } + + # Allow direct access to only specific subdirectories in /media + location /media/dynamic_preferences/ { + alias ${MEDIA_ROOT}/dynamic_preferences/; + add_header Access-Control-Allow-Origin '*'; + } + + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + location ~ /_protected/media/(.+) { + internal; + alias ${MEDIA_ROOT}/$1; # NON-S3 + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. +# proxy_set_header Authorization ""; # S3 +# proxy_pass $1; # S3 + add_header Access-Control-Allow-Origin '*'; + } + + location /_protected/music/ { + # This is an internal location that is used to serve + # local music files once correct permission / authentication + # has been checked on API side. + # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. + internal; + alias ${MUSIC_DIRECTORY_PATH}/; + add_header Access-Control-Allow-Origin '*'; + } + + location /manifest.json { + # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL + return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; + } + + location /staticfiles/ { + alias ${STATIC_ROOT}/; + } \ No newline at end of file diff --git a/scripts/backup b/scripts/backup index 13fa6d1..ed8efd6 100644 --- a/scripts/backup +++ b/scripts/backup @@ -31,7 +31,7 @@ ynh_backup --src_path="$data_dir" --is_big # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_backup --src_path="/etc/nginx/conf.d/$domain.d" #================================================= # BACKUP FAIL2BAN CONFIGURATION diff --git a/scripts/install b/scripts/install index e850264..8390cc4 100644 --- a/scripts/install +++ b/scripts/install @@ -33,6 +33,7 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated NGINX config ynh_add_nginx_config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # SPECIFIC SETUP diff --git a/scripts/remove b/scripts/remove index e2c549b..42e9981 100644 --- a/scripts/remove +++ b/scripts/remove @@ -57,6 +57,7 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # REMOVE LOGS diff --git a/scripts/restore b/scripts/restore index a92c9cd..af8f55a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,7 +39,7 @@ chown -R $app:www-data "$data_dir/" #================================================= ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d" #================================================= # RESTORE THE POSTGRESQL DATABASE diff --git a/scripts/upgrade b/scripts/upgrade index cd7eb2d..d233229 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -50,6 +50,7 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" #================================================= # Assure correct permissions to $data_dir From bdd2baf3eec46d22dbea9a1d5c0fb5b42e624c3b Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 19:51:14 +0100 Subject: [PATCH 07/16] fix nginx --- conf/nginx.conf | 50 ++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 9224618..1ef4c7b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,10 +1,10 @@ # HSTS - add_header Strict-Transport-Security "max-age=31536000"; + more_set_headers Strict-Transport-Security "max-age=31536000"; # General configs - root ${FUNKWHALE_FRONTEND_PATH}; - client_max_body_size ${NGINX_MAX_BODY_SIZE}; + root __INSTALL_DIR__/front/dist; + client_max_body_size 100M; charset utf-8; # compression settings @@ -34,15 +34,15 @@ # end of compression settings # headers - add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Service-Worker-Allowed "/"; + more_set_headers Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; + more_set_headers X-Frame-Options "SAMEORIGIN" always; + more_set_headers Service-Worker-Allowed "/"; location /api/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. - client_max_body_size ${NGINX_MAX_BODY_SIZE}; + client_max_body_size 100M; proxy_pass http://127.0.0.1:__PORT__; } @@ -58,7 +58,7 @@ location ~ ^/@(vite-plugin-pwa|vite|id)/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; - alias ${FUNKWHALE_FRONTEND_PATH}/; + alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } @@ -70,14 +70,14 @@ location / { expires 1d; include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; - alias ${FUNKWHALE_FRONTEND_PATH}/; + alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } location ~ "/(front/)?embed.html" { - alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; - add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; + alias __INSTALL_DIR__/front/dist/;embed.html; + more_set_headers Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; expires 1d; } @@ -100,20 +100,20 @@ # Allow direct access to only specific subdirectories in /media location /media/__sized__/ { - alias ${MEDIA_ROOT}/__sized__/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/__sized__/; + more_set_headers "Access-Control-Allow-Origin: *"; } # Allow direct access to only specific subdirectories in /media location /media/attachments/ { - alias ${MEDIA_ROOT}/attachments/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/attachments/; + more_set_headers "Access-Control-Allow-Origin: *"; } # Allow direct access to only specific subdirectories in /media location /media/dynamic_preferences/ { - alias ${MEDIA_ROOT}/dynamic_preferences/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/dynamic_preferences/; + more_set_headers "Access-Control-Allow-Origin: *"; } # This is an internal location that is used to serve @@ -123,11 +123,11 @@ # if you're storing media files in a S3 bucket. location ~ /_protected/media/(.+) { internal; - alias ${MEDIA_ROOT}/$1; # NON-S3 + alias __DATA_DIR__/data/media/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. # proxy_set_header Authorization ""; # S3 # proxy_pass $1; # S3 - add_header Access-Control-Allow-Origin '*'; + more_set_headers "Access-Control-Allow-Origin: *"; } location /_protected/music/ { @@ -136,15 +136,15 @@ # has been checked on API side. # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. internal; - alias ${MUSIC_DIRECTORY_PATH}/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/music/; + more_set_headers "Access-Control-Allow-Origin: *"; } location /manifest.json { # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL - return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; + return 302 https://__DOMAIN__/api/v1/instance/spa-manifest.json; } location /staticfiles/ { - alias ${STATIC_ROOT}/; + alias __DATA_DIR__/data/static/; } \ No newline at end of file From 33da504a8125e8c0c593f9231ffde8281f0e8c09 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 19:58:39 +0100 Subject: [PATCH 08/16] fix nginx one more time --- conf/nginx.conf | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 1ef4c7b..15ff97a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,37 +7,10 @@ client_max_body_size 100M; charset utf-8; - # compression settings - gzip on; - gzip_comp_level 5; - gzip_min_length 256; - gzip_proxied any; - gzip_vary on; - gzip_types - application/javascript - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - # end of compression settings - # headers more_set_headers Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; more_set_headers X-Frame-Options "SAMEORIGIN" always; - more_set_headers Service-Worker-Allowed "/"; location /api/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; @@ -74,7 +47,7 @@ try_files $uri $uri/ /index.html; } - location ~ "/(front/)?embed.html" { + location ~ "/(front/)?embed.html/" { alias __INSTALL_DIR__/front/dist/;embed.html; more_set_headers Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; @@ -121,7 +94,7 @@ # has been checked on API side. # Comment the "NON-S3" commented lines and uncomment "S3" commented lines # if you're storing media files in a S3 bucket. - location ~ /_protected/media/(.+) { + location ~ /_protected/media/(.+)/ { internal; alias __DATA_DIR__/data/media/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. From e4599af321f20b7504b71024dd84991c882bb53a Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:03:00 +0100 Subject: [PATCH 09/16] fix nginx --- conf/nginx.conf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 15ff97a..c34a6a9 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,11 +7,6 @@ client_max_body_size 100M; charset utf-8; - # headers - more_set_headers Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; - more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; - more_set_headers X-Frame-Options "SAMEORIGIN" always; - location /api/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. @@ -47,7 +42,7 @@ try_files $uri $uri/ /index.html; } - location ~ "/(front/)?embed.html/" { + location ~ "/(front/)?embed.html" { alias __INSTALL_DIR__/front/dist/;embed.html; more_set_headers Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; From 3af39dfc9557dc991faf809cdd2eb96b910b636d Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:13:15 +0100 Subject: [PATCH 10/16] fix nginx --- scripts/install | 2 +- scripts/remove | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 8390cc4..c7f7b25 100644 --- a/scripts/install +++ b/scripts/install @@ -32,8 +32,8 @@ mkdir -p $install_dir/config ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated NGINX config -ynh_add_nginx_config ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" +ynh_add_nginx_config #================================================= # SPECIFIC SETUP diff --git a/scripts/remove b/scripts/remove index 42e9981..104fb0f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -56,8 +56,8 @@ ynh_secure_remove --file="/etc/systemd/system/$app.target" ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 # Remove the dedicated NGINX config -ynh_remove_nginx_config ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" +ynh_remove_nginx_config #================================================= # REMOVE LOGS diff --git a/scripts/upgrade b/scripts/upgrade index d233229..2ff9135 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -49,8 +49,8 @@ fi ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1 # Create a dedicated NGINX config -ynh_add_nginx_config ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" +ynh_add_nginx_config #================================================= # Assure correct permissions to $data_dir From cdc2bc3f877fb76b94619b2e9bad7c4a2369e652 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:16:54 +0100 Subject: [PATCH 11/16] fix more_set_headers --- conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c34a6a9..574df61 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -44,8 +44,8 @@ location ~ "/(front/)?embed.html" { alias __INSTALL_DIR__/front/dist/;embed.html; - more_set_headers Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; + more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; expires 1d; } From 70be271df9c22be86507bf0d4ab0cef22d5d23d4 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:20:03 +0100 Subject: [PATCH 12/16] fix __DOMAIN__ variable --- conf/nginx.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 574df61..a44dcb7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -8,36 +8,36 @@ charset utf-8; location /api/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. client_max_body_size 100M; proxy_pass http://127.0.0.1:__PORT__; } location ~ ^/library/(albums|tracks|artists|playlists)/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__; } location /channels/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__; } location ~ ^/@(vite-plugin-pwa|vite|id)/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } location /@ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__; } location / { expires 1d; - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } @@ -51,18 +51,18 @@ } location /federation/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__; } # You can comment this if you do not plan to use the Subsonic API. location /rest/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; } location /.well-known/ { - include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__; } From 9a10c36251eb63378e9fa15581f97de9cd0fb30b Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:23:10 +0100 Subject: [PATCH 13/16] fix more_set_headers --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index a44dcb7..13f07c6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,6 +1,6 @@ # HSTS - more_set_headers Strict-Transport-Security "max-age=31536000"; + more_set_headers "Strict-Transport-Security: max-age=31536000"; # General configs root __INSTALL_DIR__/front/dist; From 66ef729d9bfbe259b4453942d6a1411b098f7d7d Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:27:59 +0100 Subject: [PATCH 14/16] fix embed.html --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 13f07c6..e177f60 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -43,7 +43,7 @@ } location ~ "/(front/)?embed.html" { - alias __INSTALL_DIR__/front/dist/;embed.html; + alias __INSTALL_DIR__/front/dist/embed.html; more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; From 48e1012e663539f6b1c7572da5d891ba8e7703a6 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 20:36:09 +0100 Subject: [PATCH 15/16] Add tests for ugprade from 1.3.4 --- tests.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests.toml b/tests.toml index 8496494..ed0afbc 100644 --- a/tests.toml +++ b/tests.toml @@ -5,4 +5,5 @@ test_format = 1.0 test_upgrade_from.9058c1b.name = "1.3.1" test_upgrade_from.fefe575.name = "1.3.2" test_upgrade_from.13391bf.name = "1.3.3" + test_upgrade_from.006a760.name = "1.3.4" From d3e41f949d4a60aaccd7456c0edea5bed4498450 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Wed, 13 Dec 2023 21:05:56 +0100 Subject: [PATCH 16/16] revert update which leads to track not available when uploaded (not in_place) --- conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index e177f60..3f2f2d0 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -89,7 +89,7 @@ # has been checked on API side. # Comment the "NON-S3" commented lines and uncomment "S3" commented lines # if you're storing media files in a S3 bucket. - location ~ /_protected/media/(.+)/ { + location /_protected/media/ { internal; alias __DATA_DIR__/data/media/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. @@ -115,4 +115,4 @@ location /staticfiles/ { alias __DATA_DIR__/data/static/; - } \ No newline at end of file + }