funkwhale/docker/nginx/conf.dev

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    upstream funkwhale-api {
        server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
    }
    upstream funkwhale-front {
        server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
    }
    server {
        listen 80;
        charset     utf-8;
        client_max_body_size 100M;
        include /etc/nginx/funkwhale_proxy.conf;
        # compression settings
        gzip on;
        gzip_comp_level    5;
        gzip_min_length    256;
        gzip_proxied       any;
        gzip_vary          on;

        gzip_types
            application/javascript
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
            text/x-cross-domain-policy;

        add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header X-Frame-Options "SAMEORIGIN" always;

        location /front/ {
            add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header Service-Worker-Allowed "/";
            # uncomment the following line and comment the proxy-pass one
            # to use the frontend build with "yarn build"
            #alias /frontend/dist/;
            proxy_pass   http://funkwhale-front/front/;
        }
        location /front/embed.html {
            add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
            add_header X-Frame-Options "" always;
            proxy_pass   http://funkwhale-front/front/embed.html;
        }

        location / {
            include /etc/nginx/funkwhale_proxy.conf;
            # this is needed if you have file import via upload enabled
            client_max_body_size ${NGINX_MAX_BODY_SIZE};
            proxy_pass   http://funkwhale-api/;
        }

        # You can comment this if you do not plan to use the Subsonic API
        location /rest/ {
            include /etc/nginx/funkwhale_proxy.conf;
            proxy_pass   http://funkwhale-api/api/subsonic/rest/;
        }

        location /media/ {
            alias /protected/media/;
        }

        # this is an internal location that is used to serve
        # audio files once correct permission / authentication
        # has been checked on API side
        location /_protected/media {
            internal;
            alias   /protected/media;

        }
        # Comment the previous location and uncomment this one if you're storing
        # media files in a S3 bucket
        # location ~ /_protected/media/(.+) {
        #     internal;
        #     resolver 127.0.0.11;
        #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
        #     proxy_set_header Authorization "";
        #     proxy_set_header X-Remote-URL "$1";
        #     proxy_pass $1;
        # }

        location /_protected/music {
            # this is an internal location that is used to serve
            # audio files once correct permission / authentication
            # has been checked on API side
            # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
            internal;
            alias   /music;
        }
        location /staticfiles/ {
            alias /staticfiles/;
        }
    }
}