nginx: Move localhost to its own block, bound to the loopback address.

This makes the `localhost.d` directory less of a lie, and decreases
the chances that local reconfigurations will break the 127.0.0.1:80
server which is used for IPC.

In cases where `nginx_http_only` is enabled, we respect
`nginx_listen_port` soas to not attempt to bind on port 80 if the
administrator was explicitly attempting to avoid that.
This commit is contained in:
Alex Vandiver 2025-04-01 13:42:35 +00:00 committed by Tim Abbott
parent 7d5d79909c
commit b4fb22ba1b

View File

@ -1,28 +1,29 @@
# For local IPC -- tusd to Django, or Django to Tornado
server {
<% if @nginx_http_only -%>
listen 127.0.0.1:<%= @nginx_listen_port %>;
<% else -%>
listen 127.0.0.1:80;
<% end -%>
location /api/internal/ {
include /etc/nginx/zulip-include/api_headers;
include uwsgi_params;
}
include /etc/nginx/zulip-include/localhost.d/*.conf;
}
<% if @nginx_http_only -%>
<% else -%>
server {
listen 80;
listen [::]:80;
location /api/internal/ {
# If coming from localhost, we do allow access to internal
# APIs over HTTP, without an HTTPS redirect. Adding TLS does
# not add appreciable security to connections from localhost,
# and the certificate will never validate.
allow 127.0.0.1;
allow ::1;
deny all;
include /etc/nginx/zulip-include/api_headers;
include uwsgi_params;
}
location / {
return 301 https://$host$request_uri;
}
include /etc/nginx/zulip-include/certbot;
include /etc/nginx/zulip-include/localhost.d/*.conf;
}
<% end -%>