From 309b41d98f1e68c3ccb31f7c75f99f39b1d4e04b Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Sat, 3 Jun 2023 21:25:40 +0200 Subject: [PATCH 1/2] adapt nginx.conf --- conf/nginx.conf | 71 +++++++++++++++++++++---------------------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index e01ed0f..6b33ec6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,6 +1,6 @@ -root __INSTALL_DIR__/front/dist; +root __INSTALL_DIR__/front; -location / { +location /api/ { # global proxy conf proxy_set_header Host $host; @@ -18,29 +18,21 @@ location / { # this is needed if you have file import via upload enabled client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__/; + proxy_pass http://127.0.0.1:__PORT__; } -location /front/ { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - more_set_headers "Service-Worker-Allowed: /"; - more_set_headers "X-Frame-Options: SAMEORIGIN"; - alias __INSTALL_DIR__/front/dist/; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; +location / { + alias __INSTALL_DIR__/front/; + expires 1d; + try_files $uri $uri/ /index.html; } -location /front/embed.html { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; +location /embed.html { + add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; - more_set_headers "X-Frame-Options: ALLOW"; - alias __INSTALL_DIR__/front/dist/embed.html; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; + alias __INSTALL_DIR__/front/embed.html; + expires 1d; } location /federation/ { @@ -98,33 +90,32 @@ location /.well-known/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:__PORT__/.well-known/; + proxy_pass http://127.0.0.1:__PORT__; } location /media/__sized__/ { alias __DATA_DIR__/data/media/__sized__/; + add_header Acces-Control-Allow-Origin '*'; } location /media/attachments/ { alias __DATA_DIR__/data/media/attachments/; + add_header Access-Control-Allow-Origin '*'; } -location /_protected/media/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - internal; - alias __DATA_DIR__/data/media/; -} - -# Comment the previous location and uncomment this one if you're storing -# media files in a S3 bucket -# location ~ /_protected/media/(.+) { -# internal; -# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 -# proxy_set_header Authorization ""; -# proxy_pass $1; -# } + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + #location ~ /_protected/media/(.+) { + # internal; + # alias ${MEDIA_ROOT}/$1; # NON-S3 + # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. +# proxy_set_header Authorization ""; # S3 +# proxy_pass $1; # S3 + # add_header Access-Control-Allow-Origin '*'; + #} location /_protected/music/ { # this is an internal location that is used to serve @@ -133,9 +124,9 @@ location /_protected/music/ { # Set this to the same value as your MUSIC_DIRECTORY_PATH setting internal; alias __DATA_DIR__/data/music/; + add_header Access-Control-Allow-Origin '*'; } -location /staticfiles/ { - # django static files - alias __DATA_DIR__/data/static/; +location /manifest.json { + return 302 /api/v1/instance/spa-manifest.json; } From 0171ac1fe909bf522318f20e356575b6f6e7faa4 Mon Sep 17 00:00:00 2001 From: Thomas <51749973+Thovi98@users.noreply.github.com> Date: Sat, 3 Jun 2023 22:19:41 +0200 Subject: [PATCH 2/2] fix nginx --- conf/env.prod | 1 - conf/nginx.conf | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/conf/env.prod b/conf/env.prod index 17cdd4d..71a56f8 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -159,7 +159,6 @@ LDAP_ROOT_DN=ou=users,dc=yunohost,dc=org LDAP_USER_ATTR_MAP=username:uid FUNKWHALE_FRONTEND_PATH=__INSTALL_DIR__/front/dist -FUNKWHALE_SPA_HTML_ROOT=__INSTALL_DIR__/front/dist/index.html # Nginx related configuration NGINX_MAX_BODY_SIZE=100M diff --git a/conf/nginx.conf b/conf/nginx.conf index 6b33ec6..b2a1dc8 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,4 @@ -root __INSTALL_DIR__/front; +root __INSTALL_DIR__/front/dist; location /api/ { @@ -22,7 +22,7 @@ location /api/ { } location / { - alias __INSTALL_DIR__/front/; + alias __INSTALL_DIR__/front/dist/; expires 1d; try_files $uri $uri/ /index.html; } @@ -31,7 +31,7 @@ location /embed.html { add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; - alias __INSTALL_DIR__/front/embed.html; + alias __INSTALL_DIR__/front/dist/embed.html; expires 1d; }