Merge pull request #226 from YunoHost-Apps/fix_nginx

Fix nginx
2024-09-03 18:36:24 +02:00 · 2023-06-03 22:20:00 +02:00 · 2023-06-03 22:20:00 +02:00 · fe71a2dd50
commit fe71a2dd50
parent 815fd032cd 0171ac1fe9
2 changed files with 28 additions and 38 deletions
--- a/conf/env.prod
+++ b/conf/env.prod
@ -159,7 +159,6 @@ LDAP_ROOT_DN=ou=users,dc=yunohost,dc=org
 LDAP_USER_ATTR_MAP=username:uid

 FUNKWHALE_FRONTEND_PATH=__INSTALL_DIR__/front/dist
-FUNKWHALE_SPA_HTML_ROOT=__INSTALL_DIR__/front/dist/index.html

 # Nginx related configuration
 NGINX_MAX_BODY_SIZE=100M
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,6 +1,6 @@
 root __INSTALL_DIR__/front/dist;

-location / {
+location /api/ {

  # global proxy conf
  proxy_set_header Host $host;
@ -18,29 +18,21 @@ location / {

  # this is needed if you have file import via upload enabled
  client_max_body_size 100M;
-  proxy_pass   http://127.0.0.1:__PORT__/;
+  proxy_pass   http://127.0.0.1:__PORT__;
 }

-location /front/ {
-  more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
-  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-  more_set_headers "Service-Worker-Allowed: /";
-  more_set_headers "X-Frame-Options: SAMEORIGIN";
+location / {
  alias __INSTALL_DIR__/front/dist/;
-  expires 30d;
-  more_set_headers "Pragma: public";
-  more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
+  expires 1d;
+  try_files $uri $uri/  /index.html;
 }

-location /front/embed.html {
-  more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
-  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
+location /embed.html {
+  add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
+  add_header Referrer-Policy "strict-origin-when-cross-origin";

-  more_set_headers "X-Frame-Options: ALLOW";
  alias __INSTALL_DIR__/front/dist/embed.html;
-  expires 30d;
-  more_set_headers "Pragma: public";
-  more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
+  expires 1d;
 }

 location /federation/ {
@ -98,33 +90,32 @@ location /.well-known/ {
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;

-  proxy_pass   http://127.0.0.1:__PORT__/.well-known/;
+  proxy_pass   http://127.0.0.1:__PORT__;
 }

 location /media/__sized__/ {
  alias __DATA_DIR__/data/media/__sized__/;
+  add_header Acces-Control-Allow-Origin '*';
 }

 location /media/attachments/ {
  alias __DATA_DIR__/data/media/attachments/;
+  add_header Access-Control-Allow-Origin '*';
 }

-location /_protected/media/ {
-  # this is an internal location that is used to serve
-  # audio files once correct permission / authentication
-  # has been checked on API side
-  internal;
-  alias   __DATA_DIR__/data/media/;
-}
-
-# Comment the previous location and uncomment this one if you're storing
-# media files in a S3 bucket
-# location ~ /_protected/media/(.+) {
-#   internal;
-#   # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-#   proxy_set_header Authorization "";
-#   proxy_pass $1;
-# }
+    # This is an internal location that is used to serve
+    # media (uploaded) files once correct permission / authentication
+    # has been checked on API side.
+    # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
+    # if you're storing media files in a S3 bucket.
+    #location ~ /_protected/media/(.+) {
+    #    internal;
+    #    alias   ${MEDIA_ROOT}/$1;                                           # NON-S3
+    #    # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+#       proxy_set_header Authorization "";                                  # S3
+#       proxy_pass $1;                                                      # S3
+    #    add_header Access-Control-Allow-Origin '*';
+    #}

 location /_protected/music/ {
  # this is an internal location that is used to serve
@ -133,9 +124,9 @@ location /_protected/music/ {
  # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
  internal;
  alias   __DATA_DIR__/data/music/;
+  add_header Access-Control-Allow-Origin '*';
 }

-location /staticfiles/ {
-  # django static files
-  alias __DATA_DIR__/data/static/;
+location /manifest.json {
+  return 302 /api/v1/instance/spa-manifest.json;
 }