diff --git a/conf/nginx.conf b/conf/nginx.conf index 9224618..1ef4c7b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,10 +1,10 @@ # HSTS - add_header Strict-Transport-Security "max-age=31536000"; + more_set_headers Strict-Transport-Security "max-age=31536000"; # General configs - root ${FUNKWHALE_FRONTEND_PATH}; - client_max_body_size ${NGINX_MAX_BODY_SIZE}; + root __INSTALL_DIR__/front/dist; + client_max_body_size 100M; charset utf-8; # compression settings @@ -34,15 +34,15 @@ # end of compression settings # headers - add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Service-Worker-Allowed "/"; + more_set_headers Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; + more_set_headers X-Frame-Options "SAMEORIGIN" always; + more_set_headers Service-Worker-Allowed "/"; location /api/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. - client_max_body_size ${NGINX_MAX_BODY_SIZE}; + client_max_body_size 100M; proxy_pass http://127.0.0.1:__PORT__; } @@ -58,7 +58,7 @@ location ~ ^/@(vite-plugin-pwa|vite|id)/ { include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; - alias ${FUNKWHALE_FRONTEND_PATH}/; + alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } @@ -70,14 +70,14 @@ location / { expires 1d; include /etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf; - alias ${FUNKWHALE_FRONTEND_PATH}/; + alias __INSTALL_DIR__/front/dist/; try_files $uri $uri/ /index.html; } location ~ "/(front/)?embed.html" { - alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; - add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; + alias __INSTALL_DIR__/front/dist/;embed.html; + more_set_headers Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; expires 1d; } @@ -100,20 +100,20 @@ # Allow direct access to only specific subdirectories in /media location /media/__sized__/ { - alias ${MEDIA_ROOT}/__sized__/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/__sized__/; + more_set_headers "Access-Control-Allow-Origin: *"; } # Allow direct access to only specific subdirectories in /media location /media/attachments/ { - alias ${MEDIA_ROOT}/attachments/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/attachments/; + more_set_headers "Access-Control-Allow-Origin: *"; } # Allow direct access to only specific subdirectories in /media location /media/dynamic_preferences/ { - alias ${MEDIA_ROOT}/dynamic_preferences/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/media/dynamic_preferences/; + more_set_headers "Access-Control-Allow-Origin: *"; } # This is an internal location that is used to serve @@ -123,11 +123,11 @@ # if you're storing media files in a S3 bucket. location ~ /_protected/media/(.+) { internal; - alias ${MEDIA_ROOT}/$1; # NON-S3 + alias __DATA_DIR__/data/media/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. # proxy_set_header Authorization ""; # S3 # proxy_pass $1; # S3 - add_header Access-Control-Allow-Origin '*'; + more_set_headers "Access-Control-Allow-Origin: *"; } location /_protected/music/ { @@ -136,15 +136,15 @@ # has been checked on API side. # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. internal; - alias ${MUSIC_DIRECTORY_PATH}/; - add_header Access-Control-Allow-Origin '*'; + alias __DATA_DIR__/data/music/; + more_set_headers "Access-Control-Allow-Origin: *"; } location /manifest.json { # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL - return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; + return 302 https://__DOMAIN__/api/v1/instance/spa-manifest.json; } location /staticfiles/ { - alias ${STATIC_ROOT}/; + alias __DATA_DIR__/data/static/; } \ No newline at end of file