diff --git a/changes/changelog.d/1939.bugfix b/changes/changelog.d/1939.bugfix new file mode 100644 index 000000000..bdc1b19dc --- /dev/null +++ b/changes/changelog.d/1939.bugfix @@ -0,0 +1 @@ +Merge nginx configs for docker production and development setups (#1939) diff --git a/dev.yml b/dev.yml index ef2d43494..95323af8c 100644 --- a/dev.yml +++ b/dev.yml @@ -115,7 +115,6 @@ services: - "node3.funkwhale.test:172.17.0.1" nginx: - command: /entrypoint.sh env_file: - .env.dev - .env @@ -134,8 +133,7 @@ services: - api - front volumes: - - ./docker/nginx/conf.dev:/etc/nginx/nginx.conf.template:ro - - ./docker/nginx/entrypoint.sh:/entrypoint.sh:ro + - ./docker/nginx/conf.dev:/etc/nginx/templates/default.conf.template:ro - "${MUSIC_DIRECTORY_SERVE_PATH-./data/music}:/music:ro" - ./deploy/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro - "./front:/frontend:ro" diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev index 8e956f001..ae3cd3fce 100644 --- a/docker/nginx/conf.dev +++ b/docker/nginx/conf.dev @@ -1,167 +1,140 @@ -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; +upstream funkwhale-api { + server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; +} +upstream funkwhale-front { + server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT}; } +# Required for websocket support. +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; +server { + listen 80; + listen [::]:80; + charset utf-8; + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + include /etc/nginx/funkwhale_proxy.conf; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Service-Worker-Allowed "/"; - access_log /var/log/nginx/access.log main; + # compression settings + gzip on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; - sendfile on; + gzip_types + application/javascript + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # end of compression settings - keepalive_timeout 65; - - upstream funkwhale-api { - server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; - } - upstream funkwhale-front { - server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT}; - } - - # Required for websocket support. - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - server { - listen 80; - listen [::]:80; - charset utf-8; - client_max_body_size ${NGINX_MAX_BODY_SIZE}; + location /api/ { include /etc/nginx/funkwhale_proxy.conf; + # This is needed if you have file import via upload enabled. + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + proxy_pass http://funkwhale-api; + } - add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"; + location / { + proxy_pass http://funkwhale-front; + expires 1d; + } + + location = /embed.html { + add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Service-Worker-Allowed "/"; - # compression settings - gzip on; - gzip_comp_level 5; - gzip_min_length 256; - gzip_proxied any; - gzip_vary on; + proxy_pass http://funkwhale-front; + expires 1d; + } - gzip_types - application/javascript - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - # end of compression settings + location /federation/ { + include /etc/nginx/funkwhale_proxy.conf; + proxy_pass http://funkwhale-api; + } - location /api/ { - include /etc/nginx/funkwhale_proxy.conf; - # This is needed if you have file import via upload enabled. - client_max_body_size ${NGINX_MAX_BODY_SIZE}; - proxy_pass http://funkwhale-api; - } + # You can comment this if you do not plan to use the Subsonic API. + location /rest/ { + include /etc/nginx/funkwhale_proxy.conf; + proxy_pass http://funkwhale-api/api/subsonic/rest/; + } - location / { - proxy_pass http://funkwhale-front; - expires 1d; - } + location /.well-known/ { + include /etc/nginx/funkwhale_proxy.conf; + proxy_pass http://funkwhale-api; + } - location = /embed.html { - add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; + # Allow direct access to only specific subdirectories in /media + location /media/__sized__/ { + alias /protected/media/__sized__/; + add_header Access-Control-Allow-Origin '*'; + } - proxy_pass http://funkwhale-front; - expires 1d; - } + # Allow direct access to only specific subdirectories in /media + location /media/attachments/ { + alias /protected/media/attachments/; + add_header Access-Control-Allow-Origin '*'; + } - location /federation/ { - include /etc/nginx/funkwhale_proxy.conf; - proxy_pass http://funkwhale-api; - } + # Allow direct access to only specific subdirectories in /media + location /media/dynamic_preferences/ { + alias ${MEDIA_ROOT}/dynamic_preferences/; + add_header Access-Control-Allow-Origin '*'; + } - # You can comment this if you do not plan to use the Subsonic API. - location /rest/ { - include /etc/nginx/funkwhale_proxy.conf; - proxy_pass http://funkwhale-api/api/subsonic/rest/; - } - - location /.well-known/ { - include /etc/nginx/funkwhale_proxy.conf; - proxy_pass http://funkwhale-api; - } - - # Allow direct access to only specific subdirectories in /media - location /media/__sized__/ { - alias /protected/media/__sized__/; - add_header Access-Control-Allow-Origin '*'; - } - - # Allow direct access to only specific subdirectories in /media - location /media/attachments/ { - alias /protected/media/attachments/; - add_header Access-Control-Allow-Origin '*'; - } - - # Allow direct access to only specific subdirectories in /media - location /media/dynamic_preferences/ { - alias ${MEDIA_ROOT}/dynamic_preferences/; - add_header Access-Control-Allow-Origin '*'; - } - - # This is an internal location that is used to serve - # media (uploaded) files once correct permission / authentication - # has been checked on API side. - # Comment the "NON-S3" commented lines and uncomment "S3" commented lines - # if you're storing media files in a S3 bucket. - location ~ /_protected/media/(.+) { - internal; - alias /protected/media/$1; # NON-S3 - # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + location ~ /_protected/media/(.+) { + internal; + alias /protected/media/$1; # NON-S3 + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. # proxy_set_header Authorization ""; # S3 # proxy_pass $1; # S3 - add_header Access-Control-Allow-Origin '*'; - } - - location /_protected/music/ { - # This is an internal location that is used to serve - # local music files once correct permission / authentication - # has been checked on API side. - # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. - internal; - alias /music/; - add_header Access-Control-Allow-Origin '*'; - } - - location /manifest.json { - # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL - return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; - } - - location /staticfiles/ { - alias /staticfiles/; - } - + add_header Access-Control-Allow-Origin '*'; } + + location /_protected/music/ { + # This is an internal location that is used to serve + # local music files once correct permission / authentication + # has been checked on API side. + # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. + internal; + alias /music/; + add_header Access-Control-Allow-Origin '*'; + } + + location /manifest.json { + # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL + return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json; + } + + location /staticfiles/ { + alias /staticfiles/; + } + } diff --git a/docker/nginx/entrypoint.sh b/docker/nginx/entrypoint.sh deleted file mode 100755 index 225eac359..000000000 --- a/docker/nginx/entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -set -eux - -TEMPLATE_PATH="/etc/nginx/nginx.conf.template" -CONFIG_PATH="/etc/nginx/nginx.conf" - -ALLOWED_VARS="$(env | cut -d '=' -f 1 | xargs printf "\${%s} ")" -envsubst "$ALLOWED_VARS" < "$TEMPLATE_PATH" | tee "$CONFIG_PATH" - -nginx-debug -g 'daemon off;'