diff --git a/changes/changelog.d/932.bugfix b/changes/changelog.d/932.bugfix new file mode 100644 index 000000000..76b7c40f4 --- /dev/null +++ b/changes/changelog.d/932.bugfix @@ -0,0 +1 @@ +Updated docs to ensure streaming works when using Minio/S3 and DSub (#932) diff --git a/changes/notes.rst b/changes/notes.rst index 4a9d1eddb..847764941 100644 --- a/changes/notes.rst +++ b/changes/notes.rst @@ -216,3 +216,15 @@ is applied to the corresponding user account. By default, anonymous requests get You can disable the rate-limiting feature by adding `THROTTLING_ENABLED=false` to your ``.env`` file and restarting the services. If you are using the Funkwhale API in your project or app and want to know more about the limits, please consult https://docs.funkwhale.audio/swagger/. + +Broken audio streaming when using S3/Minio and DSub [manual action required] +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Some Subsonic clients, such as DSub, are sending an Authorization headers which was forwarded +to the S3 storage when streaming, causing some issues. If you are using S3 or a compatible storage +such as Minio, please add the following in your nginx ``~ /_protected/media/(.+)`` location:: + + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 + proxy_set_header Authorization ""; + +And reload your nginx process. diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template index d3a7fc9a6..ced42201a 100644 --- a/deploy/docker.nginx.template +++ b/deploy/docker.nginx.template @@ -91,6 +91,8 @@ server { # media files in a S3 bucket # location ~ /_protected/media/(.+) { # internal; + # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 + # proxy_set_header Authorization ""; # proxy_pass $1; # } diff --git a/deploy/nginx.template b/deploy/nginx.template index 1dc6de6da..32c9254e2 100644 --- a/deploy/nginx.template +++ b/deploy/nginx.template @@ -136,6 +136,8 @@ server { # media files in a S3 bucket # location ~ /_protected/media/(.+) { # internal; + # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 + # proxy_set_header Authorization ""; # proxy_pass $1; # } diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev index 95560b6d8..1807dc088 100644 --- a/docker/nginx/conf.dev +++ b/docker/nginx/conf.dev @@ -124,8 +124,10 @@ http { # location ~ /_protected/media/(.+) { # internal; # resolver 127.0.0.11; + # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 + # proxy_set_header Authorization ""; + # proxy_set_header X-Remote-URL "$1"; # proxy_pass $1; - # add_header X-Remote-URL "$1"; # } location /_protected/music { diff --git a/docs/admin/external-storages.rst b/docs/admin/external-storages.rst index 45fed68ab..a986351e7 100644 --- a/docs/admin/external-storages.rst +++ b/docs/admin/external-storages.rst @@ -42,6 +42,8 @@ Replace the ``location /_protected/media`` block with the following:: location ~ /_protected/media/(.+) { internal; + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 + proxy_set_header Authorization ""; proxy_pass $1; } @@ -77,9 +79,9 @@ This URL is actually be visible by the client, but contains a signature valid on no one can reuse this URL or share it publicly to distribute unauthorized content. .. note:: - + If you are using Amazon S3, you will need to set your ``AWS_S3_REGION_NAME`` in the ``.env`` file to - use this feature. + use this feature. .. note:: @@ -142,9 +144,10 @@ in your ``funkwhale.template`` under the ``location ~/_protected/media/(.+)`` se .. code-block:: shell location ~ /_protected/media/(.+) { - resolver 1.1.1.1; - internal; - proxy_pass $1; + resolver 1.1.1.1; + internal; + proxy_set_header Authorization ""; + proxy_pass $1; } No Images or Media Loading