# Following variables MUST be modified according to your setup
Define funkwhale-sn funkwhale.local
# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000
Define FUNKWHALE_FRONTEND_PATH /usr/share/webapps/funkwhale/front/dist
Define FUNKWHALE_DATA_PATH /srv/funkwhale/data
Define APACHE_LOG_DIR /var/log/httpd
Alias /funkwhale ${FUNKWHALE_FRONTEND_PATH}
# HTTP requests redirected to HTTPS
ServerName ${funkwhale-sn}
# Default is to force https
RewriteEngine on
RewriteCond %{SERVER_NAME} =${funkwhale-sn}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
Options None
Require all granted
# Protocols h2 http/1.1
ServerName ${funkwhale-sn}
# Path to ErrorLog and access log
ErrorLog ${APACHE_LOG_DIR}/funkwhale/error.log
CustomLog ${APACHE_LOG_DIR}/funkwhale/access.log combined
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
SSLEngine on
SSLProxyEngine On
SSLCertificateFile "/etc/webapps/funkwhale/config/funkwhale-server.crt"
SSLCertificateKeyFile "/etc/webapps/funkwhale/config/funkwhale-server.key"
# SSLCertificateFile /etc/letsencrypt/live/${funkwhale-sn}/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
# Tell the api that the client is using https
RequestHeader set X-Forwarded-Proto "https"
# Additional security headers
# Header set Referrer-Policy "strict-origin-when-cross-origin"
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
# Configure Proxy settings
# ProxyPreserveHost pass the original Host header to the backend server
ProxyVia On
ProxyPreserveHost On
RemoteIPHeader X-Forwarded-For
# Turning ProxyRequests on and allowing proxying from all may allow
# spammers to use your proxy to send email.
ProxyRequests Off
AddDefaultCharset off
Order Allow,Deny
Allow from all
# similar to nginx 'client_max_body_size 100M;'
LimitRequestBody 104857600
# Header set X-Frame-Options "sameorigin"
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
# Header set Referrer-Policy "strict-origin-when-cross-origin"
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
ProxyPass ${funkwhale-api}/federation
ProxyPassReverse ${funkwhale-api}/federation
# You can comment this if you don't plan to use the Subsonic API
ProxyPass ${funkwhale-api}/api/subsonic/rest
ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
ProxyPass ${funkwhale-api}/.well-known/
ProxyPassReverse ${funkwhale-api}/.well-known/
#
# Header set X-Frame-Options "allow-from ${funkwhale-sn}"
#
# Alias /front/embed.html ${FUNKWHALE_FRONTEND_PATH}/embed.html
ProxyPass "!"
Alias /front ${FUNKWHALE_FRONTEND_PATH}
ProxyPass "!"
Alias /media ${FUNKWHALE_DATA_PATH}/media
ProxyPass "!"
Alias /staticfiles ${FUNKWHALE_DATA_PATH}/static
# Activating WebSockets
ProxyPass ${funkwhale-api-ws}/api/v1/activity
# Setting appropriate access levels to serve frontend
Options FollowSymLinks
AllowOverride None
Require all granted
Options FollowSymLinks
AllowOverride None
Require all granted
Options FollowSymLinks
AllowOverride None
Require all granted
# XSendFile is serving audio files
# WARNING : permissions on paths specified below overrides previous definition,
# everything under those paths is potentially exposed.
# Following directive may be needed to ensure xsendfile is loaded
LoadModule xsendfile_module modules/mod_xsendfile.so
XSendFile On
XSendFilePath ${FUNKWHALE_DATA_PATH}/media
XSendFilePath ${FUNKWHALE_DATA_PATH}/music
SetEnv MOD_X_SENDFILE_ENABLED 1