Merge branch 'fixApacheCovers' into 'develop'

XForwardedProto to https & covers granted See merge request funkwhale/funkwhale!237
2018-06-07 09:02:34 +00:00 · 2018-06-07 09:02:34 +00:00 · fd32d24044
parent 0a7c719a46 c353d59d40
commit fd32d24044
2 changed files with 46 additions and 3 deletions
--- a/changes/changelog.d/264.enhancement
+++ b/changes/changelog.d/264.enhancement
@ -0,0 +1,37 @@
+Album cover served in http (#264)
+
+Apache is now serving album covers in https
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Two issues are addressed here. The first one was about Django replying with
+mixed content (http) when queried for covers. Setting up the `X-Forwarded-Proto`
+allows Django to know that the client is using https, and that the reply must
+be https as well.
+
+Second issue was a problem of permission causing Apache a denied access to
+album cover folder. It was solved by adding another block for this path in
+the Apache configuration file for funkwhale.
+
+Here is how to modify your `funkwhale.conf` :
+
+<VirtualHost *:443>
+
+    ...
+    Include /etc/letsencrypt/options-ssl-apache.conf
+
+    #Add this new line
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ...
+
+    #Add this new block below the other <Directory/> blocks
+    <Directory /srv/funkwhale/data/media/albums>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    ...
+</VirtualHost>
+
+
--- a/deploy/apache.conf
+++ b/deploy/apache.conf
@ -9,7 +9,7 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
 # Define funkwhale-api-ws ws://localhost:5000


-# HTTP request redirected to HTTPS
+# HTTP requests redirected to HTTPS
 <VirtualHost *:80>
   ServerName ${funkwhale-sn}

@ -22,7 +22,6 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
      Options None
      Require all granted
   </Location>
-
 </VirtualHost>


@ -46,6 +45,8 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
   SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf

+   # Tell the api that the client is using https
+   RequestHeader set X-Forwarded-Proto "https"

   DocumentRoot /srv/funkwhale/front/dist

@ -112,6 +113,12 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
      Require all granted
   </Directory>

+   <Directory /srv/funkwhale/data/media/albums>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+   </Directory>
+
   # XSendFile is serving audio files
   # WARNING : permissions on paths specified below overrides previous definition,
   # everything under those paths is potentially exposed.
@ -123,6 +130,5 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music
      XSendFilePath ${MUSIC_DIRECTORY_PATH}
      SetEnv MOD_X_SENDFILE_ENABLED 1
   </IfModule>
-
 </VirtualHost>
 </IfModule>