nginx: Consistently listen on IPv6 and with HTTP/2.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-11-04 14:03:30 +00:00 · 2020-10-13 16:53:28 -07:00
parent ec43f5418d
commit 129ea6dd11
6 changed files with 17 additions and 15 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -272,10 +272,10 @@ For `nginx` configuration, there's two things you need to set up:

 ```
 server {
-        listen                  443 ssl;
+        listen                  443 ssl http2;
+        listen                  [::]:443 ssl http2;
        server_name             zulip.example.net;

-        ssl                     on;
        ssl_certificate         /path/to/fullchain-cert.pem;
        ssl_certificate_key     /path/to/private-key.pem;

--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -19,10 +19,9 @@ server {
    listen <%= @nginx_listen_port %>;
    listen [::]:<%= @nginx_listen_port %>;
 <% else -%>
-    listen <%= @nginx_listen_port %> http2;
-    listen [::]:<%= @nginx_listen_port %> http2;
+    listen <%= @nginx_listen_port %> ssl http2;
+    listen [::]:<%= @nginx_listen_port %> ssl http2;

-    ssl on;
    ssl_certificate <%= @ssl_dir %>/certs/zulip.combined-chain.crt;
    ssl_certificate_key <%= @ssl_dir %>/private/zulip.key;
 <% end -%>
--- a/puppet/zulip_ops/files/nginx/sites-available/zulip
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip
@@ -1,7 +1,8 @@
 include /etc/nginx/zulip-include/upstreams;

 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;

    # This server is behind an ALB, which does not check the
    # certificate validity:
@@ -9,7 +10,6 @@ server {
    #
    # Snakeoil verts are good for 10 years after initial creation, but
    # the ALBs don't even check expiration. ¯\_(ツ)_/¯
-    ssl on;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

--- a/puppet/zulip_ops/files/nginx/sites-available/zulip-org
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip-org
@@ -1,13 +1,14 @@
 server {
    listen 80;
+    listen [::]:80;
    return 301 https://$host$request_uri;
 }

 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
    server_name zulip.org;

-    ssl on;
    ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;

@@ -22,10 +23,10 @@ server {
 }

 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
    server_name blog.zulip.org;

-    ssl on;
    ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;

--- a/puppet/zulip_ops/files/nginx/sites-available/zulip-staging
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip-staging
@@ -1,5 +1,6 @@
 server {
    listen 80;
+    listen [::]:80;
    server_name staging.zulip.com;
    return 301 https://$server_name$request_uri;
 }
@@ -7,9 +8,9 @@ server {
 include /etc/nginx/zulip-include/upstreams;

 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;

-    ssl on;
    ssl_certificate /etc/ssl/certs/staging.zulip.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/staging_and_dev.humbughq.com.key;

--- a/tools/droplets/zulipdev
+++ b/tools/droplets/zulipdev
@@ -1,12 +1,13 @@
 server {
    listen 80;
+    listen [::]:80;
    return 301 https://$host$request_uri;
 }

 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;

-    ssl on;
    ssl_certificate /etc/ssl/certs/zulip.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/zulip.key;