Merge branch '932-nginx-proxy' into 'develop'

Resolve "S3 nginx proxy/redirect"

Closes #932

See merge request funkwhale/funkwhale!916

changes/changelog.d/932.bugfix

@@ -0,0 +1 @@
+Updated docs to ensure streaming works when using Minio/S3 and DSub (#932)

changes/notes.rst

@@ -216,3 +216,15 @@ is applied to the corresponding user account. By default, anonymous requests get
 
 You can disable the rate-limiting feature by adding `THROTTLING_ENABLED=false` to your ``.env`` file and restarting the
 services. If you are using the Funkwhale API in your project or app and want to know more about the limits, please consult https://docs.funkwhale.audio/swagger/.
+
+Broken audio streaming when using S3/Minio and DSub [manual action required]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some Subsonic clients, such as DSub, are sending an Authorization headers which was forwarded
+to the S3 storage when streaming, causing some issues. If you are using S3 or a compatible storage
+such as Minio, please add the following in your nginx ``~ /_protected/media/(.+)`` location::
+
+    # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    proxy_set_header Authorization "";
+
+And reload your nginx process.

deploy/docker.nginx.template

@@ -91,6 +91,8 @@ server {
     # media files in a S3 bucket
     # location ~ /_protected/media/(.+) {
     #     internal;
+    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    #     proxy_set_header Authorization "";
     #     proxy_pass $1;
     # }
 

deploy/nginx.template

@@ -136,6 +136,8 @@ server {
     # media files in a S3 bucket
     # location ~ /_protected/media/(.+) {
     #     internal;
+    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    #     proxy_set_header Authorization "";
     #     proxy_pass $1;
     # }
 

docker/nginx/conf.dev

@@ -124,8 +124,10 @@ http {
         # location ~ /_protected/media/(.+) {
         #     internal;
         #     resolver 127.0.0.11;
+        #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+        #     proxy_set_header Authorization "";
+        #     proxy_set_header X-Remote-URL "$1";
         #     proxy_pass $1;
-        #     add_header X-Remote-URL "$1";
         # }
 
         location /_protected/music {

docs/admin/external-storages.rst

@@ -42,6 +42,8 @@ Replace the ``location /_protected/media`` block with the following::
 
     location ~ /_protected/media/(.+) {
         internal;
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+        proxy_set_header Authorization "";
         proxy_pass $1;
     }
 
@@ -77,9 +79,9 @@ This URL is actually be visible by the client, but contains a signature valid on
 no one can reuse this URL or share it publicly to distribute unauthorized content.
 
 .. note::
-   
+
    If you are using Amazon S3, you will need to set your ``AWS_S3_REGION_NAME`` in the ``.env`` file to
-   use this feature. 
+   use this feature.
 
 .. note::
 
@@ -142,9 +144,10 @@ in your ``funkwhale.template`` under the ``location ~/_protected/media/(.+)`` se
 .. code-block:: shell
 
     location ~ /_protected/media/(.+) {
-     resolver 1.1.1.1;
-     internal;
-     proxy_pass $1;
+        resolver 1.1.1.1;
+        internal;
+        proxy_set_header Authorization "";
+        proxy_pass $1;
     }
 
 No Images or Media Loading