mirror of
https://github.com/zulip/zulip.git
synced 2026-06-30 21:11:04 +08:00
nginx: Move localhost to its own block, bound to the loopback address.
This makes the `localhost.d` directory less of a lie, and decreases the chances that local reconfigurations will break the 127.0.0.1:80 server which is used for IPC. In cases where `nginx_http_only` is enabled, we respect `nginx_listen_port` soas to not attempt to bind on port 80 if the administrator was explicitly attempting to avoid that.
This commit is contained in:
parent
7d5d79909c
commit
b4fb22ba1b
@ -1,28 +1,29 @@
|
||||
# For local IPC -- tusd to Django, or Django to Tornado
|
||||
server {
|
||||
<% if @nginx_http_only -%>
|
||||
listen 127.0.0.1:<%= @nginx_listen_port %>;
|
||||
<% else -%>
|
||||
listen 127.0.0.1:80;
|
||||
<% end -%>
|
||||
location /api/internal/ {
|
||||
include /etc/nginx/zulip-include/api_headers;
|
||||
include uwsgi_params;
|
||||
}
|
||||
include /etc/nginx/zulip-include/localhost.d/*.conf;
|
||||
}
|
||||
|
||||
|
||||
<% if @nginx_http_only -%>
|
||||
<% else -%>
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
location /api/internal/ {
|
||||
# If coming from localhost, we do allow access to internal
|
||||
# APIs over HTTP, without an HTTPS redirect. Adding TLS does
|
||||
# not add appreciable security to connections from localhost,
|
||||
# and the certificate will never validate.
|
||||
allow 127.0.0.1;
|
||||
allow ::1;
|
||||
deny all;
|
||||
|
||||
include /etc/nginx/zulip-include/api_headers;
|
||||
include uwsgi_params;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
include /etc/nginx/zulip-include/certbot;
|
||||
include /etc/nginx/zulip-include/localhost.d/*.conf;
|
||||
}
|
||||
<% end -%>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user