avatars: Serve /user_avatars/ through Django, which offloads to nginx.

Moving `/user_avatars/` to being served partially through Django
removes the need for the `no_serve_uploads` nginx reconfiguring when
switching between S3 and local backends.  This is important because a
subsequent commit will move S3 attachments to being served through
nginx, which would make `no_serve_uploads` entirely nonsensical of a
name.

Serve the files through Django, with an offload for the actual image
response to an internal nginx route.  In development, serve the files
directly in Django.

We do _not_ mark the contents as immutable for caching purposes, since
the path for avatar images is hashed only by their user-id and a salt,
and as such are reused when a user's avatar is updated.

puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf

@@ -6,7 +6,8 @@ location /internal/uploads {
     alias /home/zulip/uploads/files;
 }
 
-location /user_avatars {
+location /internal/user_avatars {
+    internal;
     include /etc/nginx/zulip-include/headers;
     add_header Content-Security-Policy "default-src 'none' img-src 'self'";
     include /etc/nginx/zulip-include/uploads.types;

puppet/zulip/manifests/app_frontend_base.pp

@@ -69,37 +69,23 @@ class zulip::app_frontend_base {
     notify  => Service['nginx'],
   }
 
-  # Configuration for how uploaded files and profile pictures are
-  # served.  The default is to serve uploads using using the `nginx`
-  # `internal` feature via X-Accel-Redirect, which basically does an
-  # internal redirect and returns the file content from nginx in an
-  # HttpResponse that would otherwise have been a redirect.  Profile
-  # pictures are served directly off disk.
-  #
-  # For installations using S3 to serve uploaded files, we want Django
-  # to handle the /internal/uploads and /user_avatars routes, so that it
-  # can serve a redirect (after doing authentication, for uploads).
-  $no_serve_uploads = zulipconf('application_server', 'no_serve_uploads', false)
-  if $no_serve_uploads {
-    file { '/etc/nginx/zulip-include/app.d/uploads-internal.conf':
-      ensure  => absent,
-    }
-  } else {
-    file { '/etc/nginx/zulip-include/app.d/uploads-internal.conf':
-      ensure  => file,
-      require => Package[$zulip::common::nginx],
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      notify  => Service['nginx'],
-      source  => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-internal.conf',
-    }
+  file { '/etc/nginx/zulip-include/app.d/uploads-internal.conf':
+    ensure  => file,
+    require => Package[$zulip::common::nginx],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['nginx'],
+    source  => 'puppet:///modules/zulip/nginx/zulip-include-frontend/uploads-internal.conf',
   }
 
-  # TODO/compatibility: Removed 2021-04 in Zulip 4.0; these lines can
-  # be removed once one must have upgraded through Zulip 4.0 or higher
-  # to get to the next release.
-  file { ['/etc/nginx/zulip-include/uploads.route', '/etc/nginx/zulip-include/app.d/thumbor.conf']:
+  file { [
+    # TODO/compatibility: Removed 2021-04 in Zulip 4.0; these lines can
+    # be removed once one must have upgraded through Zulip 4.0 or higher
+    # to get to the next release.
+    '/etc/nginx/zulip-include/uploads.route',
+    '/etc/nginx/zulip-include/app.d/thumbor.conf',
+  ]:
     ensure => absent,
   }