user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream funkwhale-api { server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; } upstream funkwhale-front { server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT}; } server { listen 80; charset utf-8; client_max_body_size 100M; include /etc/nginx/funkwhale_proxy.conf; # compression settings gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/javascript application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "SAMEORIGIN" always; location /front/ { add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Service-Worker-Allowed "/"; # uncomment the following line and comment the proxy-pass one # to use the frontend build with "yarn build" #alias /frontend/dist/; proxy_pass http://funkwhale-front/front/; } location /front/embed.html { add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "" always; proxy_pass http://funkwhale-front/front/embed.html; } location / { include /etc/nginx/funkwhale_proxy.conf; # this is needed if you have file import via upload enabled client_max_body_size ${NGINX_MAX_BODY_SIZE}; proxy_pass http://funkwhale-api/; } # You can comment this if you do not plan to use the Subsonic API location /rest/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api/api/subsonic/rest/; } location /media/ { alias /protected/media/; } # this is an internal location that is used to serve # audio files once correct permission / authentication # has been checked on API side location /_protected/media { internal; alias /protected/media; } # Comment the previous location and uncomment this one if you're storing # media files in a S3 bucket # location ~ /_protected/media/(.+) { # internal; # resolver 127.0.0.11; # # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 # proxy_set_header Authorization ""; # proxy_set_header X-Remote-URL "$1"; # proxy_pass $1; # } location /_protected/music { # this is an internal location that is used to serve # audio files once correct permission / authentication # has been checked on API side # Set this to the same value as your MUSIC_DIRECTORY_PATH setting internal; alias /music; } location /staticfiles/ { alias /staticfiles/; } } }