upstream funkwhale-api { # depending on your setup, you may want to update this server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; } # Required for websocket support. map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; # update this to match your instance name server_name ${FUNKWHALE_HOSTNAME}; # useful for Let's Encrypt location /.well-known/acme-challenge/ { allow all; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${FUNKWHALE_HOSTNAME}; # TLS # Feel free to use your own configuration for SSL here or simply remove the # lines and move the configuration to the previous server block if you # don't want to run funkwhale behind https (this is not recommended) # have a look here for let's encrypt configuration: # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx ssl_protocols TLSv1.2; ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem; # HSTS add_header Strict-Transport-Security "max-age=31536000"; # General configs root ${FUNKWHALE_FRONTEND_PATH}; client_max_body_size ${NGINX_MAX_BODY_SIZE}; charset utf-8; # compression settings gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/javascript application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # end of compression settings # headers add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "SAMEORIGIN" always; add_header Service-Worker-Allowed "/"; location /api/ { include /etc/nginx/funkwhale_proxy.conf; # This is needed if you have file import via upload enabled. client_max_body_size ${NGINX_MAX_BODY_SIZE}; proxy_pass http://funkwhale-api; } location ~ ^/library/(albums|tracks|artists|playlists)/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } location /channels/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } location ~ ^/@(vite-plugin-pwa|vite|id)/ { include /etc/nginx/funkwhale_proxy.conf; alias ${FUNKWHALE_FRONTEND_PATH}/; try_files $uri $uri/ /index.html; } location /@ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } location / { expires 1d; include /etc/nginx/funkwhale_proxy.conf; alias ${FUNKWHALE_FRONTEND_PATH}/; try_files $uri $uri/ /index.html; } location ~ "/(front/)?embed.html" { alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; expires 1d; } location /federation/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } # You can comment this if you do not plan to use the Subsonic API. location /rest/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api/api/subsonic/rest/; } location /.well-known/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api; } # Allow direct access to only specific subdirectories in /media location /media/__sized__/ { alias ${MEDIA_ROOT}/__sized__/; add_header Access-Control-Allow-Origin '*'; } # Allow direct access to only specific subdirectories in /media location /media/attachments/ { alias ${MEDIA_ROOT}/attachments/; add_header Access-Control-Allow-Origin '*'; } # Allow direct access to only specific subdirectories in /media location /media/dynamic_preferences/ { alias ${MEDIA_ROOT}/dynamic_preferences/; add_header Access-Control-Allow-Origin '*'; } # This is an internal location that is used to serve # media (uploaded) files once correct permission / authentication # has been checked on API side. # Comment the "NON-S3" commented lines and uncomment "S3" commented lines # if you're storing media files in a S3 bucket. location ~ /_protected/media/(.+) { internal; alias ${MEDIA_ROOT}/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. # proxy_set_header Authorization ""; # S3 # proxy_pass $1; # S3 add_header Access-Control-Allow-Origin '*'; } location /_protected/music/ { # This is an internal location that is used to serve # local music files once correct permission / authentication # has been checked on API side. # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. internal; alias ${MUSIC_DIRECTORY_PATH}/; add_header Access-Control-Allow-Origin '*'; } location /manifest.json { # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; } location /staticfiles/ { alias ${STATIC_ROOT}/; } }