From f902a39ac90ab5404cdcafe74ea818966fdbd44d Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Fri, 21 Mar 2025 12:10:15 -0400
Subject: [PATCH] nginx: Allow adding extra monitoring paths in a localhost.d.

(cherry picked from commit 023e634e98e7aaf733d24524569983deba3fed61)
---
 docs/production/upgrade.md                      | 17 +++++++++++------
 puppet/zulip/manifests/app_frontend_base.pp     |  6 ++++++
 .../nginx/zulip-enterprise.template.erb         |  1 +
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/docs/production/upgrade.md b/docs/production/upgrade.md
index 529002578e..8fef96aaaf 100644
--- a/docs/production/upgrade.md
+++ b/docs/production/upgrade.md
@@ -306,14 +306,19 @@ handle your setup.
 
 ### nginx configuration changes
 
-If you need to modify Zulip's `nginx` configuration, we recommend
-first attempting to add configuration to `/etc/nginx/conf.d` or
-`/etc/nginx/zulip-include/app.d`; those directories are designed for
-custom configuration, and are not overridden during upgrades. The
-former is useful for directives with the `http` [context][context],
-and the latter for `server` contexts.
+If you need to extend Zulip's `nginx` configuration, there are a few different
+include directories you can use, in different [contexts][context]:
+
+- `/etc/nginx/conf.d` is in the [`http` context][http-context]
+- `/etc/nginx/zulip-include/app.d` is in the [`server` context][server-context]
+  for the public-facing server
+- `/etc/nginx/zulip-include/localhost.d` is in the [`server`
+  context][server-context] for the server listening on `127.0.0.1:80`, which is
+  used for internal inter-process communication
 
 [context]: http://nginx.org/en/docs/beginners_guide.html#conf_structure
+[http-context]: http://nginx.org/en/docs/http/ngx_http_core_module.html#http
+[server-context]: http://nginx.org/en/docs/http/ngx_http_core_module.html#server
 
 ## Upgrading PostgreSQL
 
diff --git a/puppet/zulip/manifests/app_frontend_base.pp b/puppet/zulip/manifests/app_frontend_base.pp
index 8cf9033391..8532a0dc06 100644
--- a/puppet/zulip/manifests/app_frontend_base.pp
+++ b/puppet/zulip/manifests/app_frontend_base.pp
@@ -53,6 +53,12 @@ class zulip::app_frontend_base {
     group  => 'root',
     mode   => '0755',
   }
+  file { '/etc/nginx/zulip-include/localhost.d/':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
 
   $loadbalancers = split(zulipconf('loadbalancer', 'ips', ''), ',')
   if $loadbalancers != [] {
diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
index 48af4ced69..6cf3fdcd4d 100644
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -22,6 +22,7 @@ server {
     }
 
     include /etc/nginx/zulip-include/certbot;
+    include /etc/nginx/zulip-include/localhost.d/*.conf;
 }
 <% end -%>