From 25a0c0e69b267c25db039d49b8c27833913b45b1 Mon Sep 17 00:00:00 2001 From: RenonDis Date: Thu, 7 Jun 2018 10:15:31 +0200 Subject: [PATCH 1/2] XForwardedProto to https & covers granted --- deploy/apache.conf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/deploy/apache.conf b/deploy/apache.conf index 5b74efecd..f6f9719f6 100644 --- a/deploy/apache.conf +++ b/deploy/apache.conf @@ -9,7 +9,7 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music # Define funkwhale-api-ws ws://localhost:5000 -# HTTP request redirected to HTTPS +# HTTP requests redirected to HTTPS ServerName ${funkwhale-sn} @@ -22,7 +22,6 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music Options None Require all granted - @@ -46,6 +45,8 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf + # Tell the api that the client is using https + RequestHeader set X-Forwarded-Proto "https" DocumentRoot /srv/funkwhale/front/dist @@ -112,6 +113,12 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music Require all granted + + Options FollowSymLinks + AllowOverride None + Require all granted + + # XSendFile is serving audio files # WARNING : permissions on paths specified below overrides previous definition, # everything under those paths is potentially exposed. @@ -123,6 +130,5 @@ Define MUSIC_DIRECTORY_PATH /srv/funkwhale/data/music XSendFilePath ${MUSIC_DIRECTORY_PATH} SetEnv MOD_X_SENDFILE_ENABLED 1 - From c353d59d4038f7c963f1539cbc6de8a7f61a1bfa Mon Sep 17 00:00:00 2001 From: RenonDis Date: Thu, 7 Jun 2018 10:53:07 +0200 Subject: [PATCH 2/2] Updated changelog --- changes/changelog.d/264.enhancement | 37 +++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 changes/changelog.d/264.enhancement diff --git a/changes/changelog.d/264.enhancement b/changes/changelog.d/264.enhancement new file mode 100644 index 000000000..f527e433c --- /dev/null +++ b/changes/changelog.d/264.enhancement @@ -0,0 +1,37 @@ +Album cover served in http (#264) + +Apache is now serving album covers in https +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Two issues are addressed here. The first one was about Django replying with +mixed content (http) when queried for covers. Setting up the `X-Forwarded-Proto` +allows Django to know that the client is using https, and that the reply must +be https as well. + +Second issue was a problem of permission causing Apache a denied access to +album cover folder. It was solved by adding another block for this path in +the Apache configuration file for funkwhale. + +Here is how to modify your `funkwhale.conf` : + + + + ... + Include /etc/letsencrypt/options-ssl-apache.conf + + #Add this new line + RequestHeader set X-Forwarded-Proto "https" + + ... + + #Add this new block below the other blocks + + Options FollowSymLinks + AllowOverride None + Require all granted + + + ... + + +