Funkwhale on EC2 + S3

fedeb95

Hi everyone, I'm setting up a funkwhale instance on AWS EC plus storage of music data in an S3 bucket. I've been able to set it up with version 1.1.4 followign the mono container installation guide https://docs.funkwhale.audio/installation/docker.html. I'm running it with the NESTED_PROXY=1 option enabled. I've loaded an mp3 album and I can play it nicely from Firefox on my laptop. However on my phone with iOS, trying with Safari, it logins and shows tracks but then it fails to play any track. Same behavior with substreamer app.

In matrix chat was pointed out that FLAC files aren't supported by iOS which is interesting, but this shouldn't be the case.

Pasting here my nginx funkwhale.conf for reference:

upstream fw {
    # depending on your setup, you may want to update this
    server 127.0.0.1:5000;
}
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 80;
    listen [::]:80;
    server_name <domain>;
    location / { return 301 https://$host$request_uri; }
}
server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
    server_name <domain>;

    # TLS
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_certificate     /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

    # Security related headers

    #more_clear_headers Content-Security-Policy;
    # If you are using S3 to host your files, remember to add your S3 URL to the
    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://<s3-bucket-name>.s3.amazonaws.com/* data:; font-src 'self' data:; object-src 'none'; media-src 'self' https://<s3-bucket-name>.s3.amazonaws.com/* data:" always;

    # compression settings
    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;

    gzip_types
        application/javascript
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
                                                                                                                                                                      
        location ~ /_protected/media/(.+) {
            internal;
            # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
            proxy_set_header Authorization "";
            proxy_pass $1;
        }
    location / {
        include /etc/nginx/funkwhale_proxy.conf;
        client_max_body_size 500M;
        proxy_pass   http://fw/;
    }

}

I needed to modify the funkwhale_proxy.conf adding this line:
proxy_hide_header Content-Security-Policy;
otherwise a second Content-Security-Policy header was added before the s3 enabling one and it didn't work from a laptop browser either.

On EC2 configuration I've opened ports 443 and 80 for TCP traffic.

fedeb95

as suggested, I tried running the multi container setup. It then worked with substreamer, it still doesn't with Safari but now I guess it's a mobile browser issue and I don't care that much since it works with the app. Thanks!

Be sure to edit the nginx file that ends up inside the container and not the reverse proxy! I was making this mistake before getting it to work

fedeb95

It seems that the multi container setup uses a bit more memory than the all in one. Since I want to stick with the ec2 instances included in the free plan, which limit memory at 1GB, I've created a docker-compose that works in a docker swarm https://github.com/fedeb95/funkwhale-swarm

This requires S3 as music storage because it needs to eliminate media volumes from workers services. Otherwise this services would stick on the manager node of the swarm, this way they're free to scale. Another option which I didn't try was mounting a shared volume.

Steps to make it work:

be sure to use private ips of the EC2 instances when setting up the swarm
modify the docker-compose file as the one in the link
edit funkwhale user to run sudo commands (if it can't and if you have that user)
run the following command to deploy the stack:
export $(cat .env | grep -v \# | xargs) && sudo -E docker stack deploy -c docker-compose.yml funkwhale_stack
this is needed because otherwise docker stack doesn't use .env and ignores environment variables

gcrk

@Sporiff Do we want to mention this docker-swam example in the docs?

Sporiff

gcrk I don't see why we shouldn't! We can list it under the alternative setup instructions.