blob: 40775f11cd9d4d4cc670d5235b3f0f2d5e4ea8f5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
# Following variables MUST be modified according to your setup
Define funkwhale-sn funkwhale.local
# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000
Define FUNKWHALE_FRONTEND_PATH /usr/share/webapps/funkwhale/front/dist
Define FUNKWHALE_DATA_PATH /srv/funkwhale/data
Define APACHE_LOG_DIR /var/log/httpd
<IfModule mod_alias.c>
Alias /funkwhale ${FUNKWHALE_FRONTEND_PATH}
</IfModule>
# HTTP requests redirected to HTTPS
<VirtualHost *:80>
ServerName ${funkwhale-sn}
# Default is to force https
RewriteEngine on
RewriteCond %{SERVER_NAME} =${funkwhale-sn}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
<Location "/.well-known/acme-challenge/">
Options None
Require all granted
</Location>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Protocols h2 http/1.1
ServerName ${funkwhale-sn}
# Path to ErrorLog and access log
ErrorLog ${APACHE_LOG_DIR}/funkwhale/error.log
CustomLog ${APACHE_LOG_DIR}/funkwhale/access.log combined
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
SSLEngine on
SSLProxyEngine On
SSLCertificateFile "/etc/webapps/funkwhale/config/funkwhale-server.crt"
SSLCertificateKeyFile "/etc/webapps/funkwhale/config/funkwhale-server.key"
# SSLCertificateFile /etc/letsencrypt/live/${funkwhale-sn}/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
# Tell the api that the client is using https
RequestHeader set X-Forwarded-Proto "https"
# Additional security headers
# Header set Referrer-Policy "strict-origin-when-cross-origin"
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
# Configure Proxy settings
# ProxyPreserveHost pass the original Host header to the backend server
ProxyVia On
ProxyPreserveHost On
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
</IfModule>
# Turning ProxyRequests on and allowing proxying from all may allow
# spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
<Location "/">
# similar to nginx 'client_max_body_size 100M;'
LimitRequestBody 104857600
# Header set X-Frame-Options "sameorigin"
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
# Header set Referrer-Policy "strict-origin-when-cross-origin"
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/federation">
ProxyPass ${funkwhale-api}/federation
ProxyPassReverse ${funkwhale-api}/federation
</Location>
# You can comment this if you don't plan to use the Subsonic API
<Location "/rest">
ProxyPass ${funkwhale-api}/api/subsonic/rest
ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
</Location>
<Location "/.well-known/">
ProxyPass ${funkwhale-api}/.well-known/
ProxyPassReverse ${funkwhale-api}/.well-known/
</Location>
# <Location "/front/embed.html">
# Header set X-Frame-Options "allow-from ${funkwhale-sn}"
# </Location>
# Alias /front/embed.html ${FUNKWHALE_FRONTEND_PATH}/embed.html
<Location "/front">
ProxyPass "!"
</Location>
Alias /front ${FUNKWHALE_FRONTEND_PATH}
<Location "/media">
ProxyPass "!"
</Location>
Alias /media ${FUNKWHALE_DATA_PATH}/media
<Location "/staticfiles">
ProxyPass "!"
</Location>
Alias /staticfiles ${FUNKWHALE_DATA_PATH}/static
# Activating WebSockets
<Location "/api/v1/activity">
ProxyPass ${funkwhale-api-ws}/api/v1/activity
</Location>
# Setting appropriate access levels to serve frontend
<Directory ${FUNKWHALE_DATA_PATH}/static>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory ${FUNKWHALE_FRONTEND_PATH}>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory ${FUNKWHALE_DATA_PATH}/media>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# XSendFile is serving audio files
# WARNING : permissions on paths specified below overrides previous definition,
# everything under those paths is potentially exposed.
# Following directive may be needed to ensure xsendfile is loaded
LoadModule xsendfile_module modules/mod_xsendfile.so
<IfModule mod_xsendfile.c>
XSendFile On
XSendFilePath ${FUNKWHALE_DATA_PATH}/media
XSendFilePath ${FUNKWHALE_DATA_PATH}/music
SetEnv MOD_X_SENDFILE_ENABLED 1
</IfModule>
</VirtualHost>
</IfModule>
|