zulip/puppet/zulip_internal/files/nginx/sites-available/zulip

# Redirect http://app.humbughq.com and other unsupported
# hostnames to https://humbughq.com
#
# We don't have a redirect for HTTPS, however.
server {
    listen 80 default_server;
    server_name app.humbughq.com;
    return 301 https://humbughq.com;
}

server {
    listen 80;
    server_name humbughq.com zephyr.humbughq.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443;

    ssl on;

    ssl_certificate /etc/ssl/certs/wildcard-humbughq.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;

    server_name zephyr.humbughq.com zephyr.zulip.com;

    # Avoid clickjacking attacks
    add_header X-Frame-Options DENY;

    include /etc/nginx/zulip-include/app;
}


server {
    listen 443;

    ssl on;

    ssl_certificate /etc/ssl/certs/wildcard-humbughq.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;

    # We don't actually have an SSL cert for zulip.com, but that's okay since
    # clients will never be accessing this host directly.
    server_name humbughq.com www.humbughq.com zulip.com www.zulip.com;

    # Avoid clickjacking attacks
    add_header X-Frame-Options DENY;

    # Downloadable software
    location /dist/ {
        autoindex on;
        alias /srv/www/dist/;
    }

    # Enterprise downloads
    location /enterprise/ {
        alias /srv/www/enterprise/;
        autoindex on;

        location /enterprise/download {
            alias /srv/www/enterprise/download;
            auth_basic "Password needed";
            auth_basic_user_file /srv/www/enterprise/download/.htpasswd;
        }
    }

    include /etc/nginx/zulip-include/app;
}

server {
    listen 443;

    ssl on;
    ssl_certificate /etc/ssl/certs/wildcard-humbughq.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;

    server_name api.humbughq.com api.zulip.com;

    rewrite ^/(.*) /api/$1 break;

    include /etc/nginx/zulip-include/app;
}