S3 storage : upload stucked

jeremiel26

Hi,
I've installed a fresh 1.3.3 funkwhale server on ubuntu lts 22.04 with quick install script.
i've add in my .env file:
AWS_ACCESS_KEY_ID=MyAccessKey
AWS_SECRET_ACCESS_KEY=MySecretAccessKey
AWS_STORAGE_BUCKET_NAME=MyStorageName
AWS_S3_ENDPOINT_URL=MyURLonOVHserver

save and restart funkwhale service

My /etc/nginx/sites-enabled/podcasts.aurafm.org.conf:

# Ansible managed
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c

upstream funkwhale-api {
    server 127.0.0.1:5000;
}

server {
    listen 80;
    listen [::]:80;
    server_name podcasts.aurafm.org;

    location /.well-known/ {
        allow all;
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://127.0.0.1:5000/.well-known/;
    }

    location / {
        return 301 https://$host$request_uri;
    }

}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    charset     utf-8;
    server_name podcasts.aurafm.org;
    ssl_certificate /etc/letsencrypt/live/podcasts.aurafm.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/podcasts.aurafm.org/privkey.pem;
    
    # Many of these are overridden by matching settings outside of any server{} block!
    # https://github.com/mozilla/ssl-config-generator/issues/76
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    # https://ssl-config.mozilla.org/#server=nginx&config=modern
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
        add_header Strict-Transport-Security "max-age=31536000" always;

    add_header Content-Security-Policy "...img-src 'self' https://s3.gra.io.cloud.ovh.net data:;...media-src https://s3.gra.io.cloud.ovh.net 'self' data:";

    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Service-Worker-Allowed "/";

    root /srv/funkwhale/front/dist;

    # compression settings
    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;

    gzip_types
        application/javascript
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
    # end of compression settings

    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
        client_max_body_size 100M;
        proxy_pass   http://funkwhale-api;
    }
    location / {
        alias /srv/funkwhale/front/dist/;
        expires 1d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        add_header Service-Worker-Allowed "/";
        try_files $uri $uri/ /index.html;
    }

    location ~ "/(front/)?embed.html" {
        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

        alias /srv/funkwhale/front/dist/embed.html;
        expires 1d;
    }

    location /federation/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api;
    }

    # You can comment this if you do not plan to use the Subsonic API.
    location /rest/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

    location /.well-known/ {
        allow all;
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api;
    }

    # Allow direct access to only specific subdirectories in /media
    location /media/__sized__/ {
        alias /srv/funkwhale/data/media/__sized__/;
        add_header Access-Control-Allow-Origin '*';
    }

    # Allow direct access to only specific subdirectories in /media
    location /media/attachments/ {
        alias /srv/funkwhale/data/media/attachments/;
        add_header Access-Control-Allow-Origin '*';
    }

    # Allow direct access to only specific subdirectories in /media
    location /media/dynamic_preferences/ {
        alias /srv/funkwhale/data/media/dynamic_preferences/;
        add_header Access-Control-Allow-Origin '*';
    }

#    location /_protected/media/ {
#        internal;
#        alias   /srv/funkwhale/data/media/;
#        add_header Access-Control-Allow-Origin '*';
#    }
    
   location ~ /_protected/media/(.+) {
	 internal;
         proxy_set_header Authorization "";
         proxy_pass $1;
   }

    location /_protected/music/ {
        # This is an internal location that is used to serve
        # local music files once correct permission / authentication
        # has been checked on API side.
        internal;
        alias   /srv/funkwhale/data/music/;
        add_header Access-Control-Allow-Origin '*';
    }

    location /staticfiles/ {
        # django static files
        alias /srv/funkwhale/data/static/;
    }

    location /manifest.json {
        return 302 /api/v1/instance/spa-manifest.json;
    }

}

When i try to add an episode, a mp3 file, i have this message:

Uploads are being processed
Your uploads are being processed by Funkwhale and will be live very soon.
Processed uploads: 0/1

i've checked on OVH, the object have been uploaded on my s3 storage

Thx for your help 🙂

jeremiel26

ok so i've added "AWS_S3_REGION_NAME=gra" in .env file and upload ended properly now 🙂
BUT
when i try to play, it stay with 00:00 length and no sound :/

in .env, if i have:
PROXY_MEDIA=false
AWS_QUERYSTRING_AUTH=false
When i try to play, nothing happen i can't download file (error from s3 serveur, maybe credential)
in .env, if i have:
PROXY_MEDIA=true
AWS_QUERYSTRING_AUTH=true
When i try to play, nothing happen i can't download file (ERR_INVALID_RESPONSE)
in .env, if i have:
PROXY_MEDIA=false
AWS_QUERYSTRING_AUTH=true
When i try to play, nothing happen i'm able to download file (from my s3 server direclty)
I let it like that for the moment but i'd like to to set PROXY_MEDIA=true if it's possible.

I've checked error console from Chrome, and when i click on Play, i have an CORS error:

Access to audio at 'https://s3.gra.io.cloud.ovh.net/aurafm-podcasts-s3/funkwhale_media/tracks/26/ff/ce/pad-innov-jeunes-21-projet-solidaire-et-environnemental-au-maroc.mp3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=12345XXX%2Fgra%2Fs3%2Faws4_request&X-Amz-Date=20230909T102142Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=12345XXX' (redirected from 'https://podcasts.aurafm.org/api/v1/listen/f7349543-4bf7-4ee5-866a-601ab82e2955/?upload=d6478db5-46f9-4d8e-907e-97e92f944005') from origin 'https://podcasts.aurafm.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

But it's strange as my nginx.conf seems to be configured

Thx for your help for this problem 🙂
https://podcasts.aurafm.org/

gcrk

jeremiel26 When i try to play, nothing happen i can’t download file (ERR_INVALID_RESPONSE)

I never got proxy media working myself, but can you provide some more logs here as a starting point to debug this?

jeremiel26

YES, almost done (proxy_media=true not working :/)
The "problem" is on OVH side. It's necessary to add CORSRules to the Object Storage.

To do it:
Install awscli on your computer
then add your credential:
$ aws configure

Create a config file named cors.json or whatever, for your website:

{
   "CORSRules": [ 
        {
            "AllowedHeaders": ["Authorization"],
            "AllowedMethods": ["GET", "HEAD"],
            "AllowedOrigins": ["https://ww.MyFunkwhale.site"],
            "ExposeHeaders": ["Access-Control-Allow-Origin"]
        }
   ]
}

Apply your config file (with your s3 url endpoint and the name of your bucket):
$ aws s3api put-bucket-cors --endpoint-url https://s3.REGION.io.cloud.ovh.net --bucket MyBucket --cors-configuration file://cors.json

Hope this help someone else 🙂

And if you can help my to use PROXY_MEDIA=true, it would be great!