From b4fb22ba1befc96518d565447c678f3be5e4f52f Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 1 Apr 2025 13:42:35 +0000 Subject: [PATCH] nginx: Move localhost to its own block, bound to the loopback address. This makes the `localhost.d` directory less of a lie, and decreases the chances that local reconfigurations will break the 127.0.0.1:80 server which is used for IPC. In cases where `nginx_http_only` is enabled, we respect `nginx_listen_port` soas to not attempt to bind on port 80 if the administrator was explicitly attempting to avoid that. --- .../nginx/zulip-enterprise.template.erb | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb index 6cf3fdcd4d..91c098380f 100644 --- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb +++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb @@ -1,28 +1,29 @@ +# For local IPC -- tusd to Django, or Django to Tornado +server { +<% if @nginx_http_only -%> + listen 127.0.0.1:<%= @nginx_listen_port %>; +<% else -%> + listen 127.0.0.1:80; +<% end -%> + location /api/internal/ { + include /etc/nginx/zulip-include/api_headers; + include uwsgi_params; + } + include /etc/nginx/zulip-include/localhost.d/*.conf; +} + + <% if @nginx_http_only -%> <% else -%> server { listen 80; listen [::]:80; - location /api/internal/ { - # If coming from localhost, we do allow access to internal - # APIs over HTTP, without an HTTPS redirect. Adding TLS does - # not add appreciable security to connections from localhost, - # and the certificate will never validate. - allow 127.0.0.1; - allow ::1; - deny all; - - include /etc/nginx/zulip-include/api_headers; - include uwsgi_params; - } - location / { return 301 https://$host$request_uri; } include /etc/nginx/zulip-include/certbot; - include /etc/nginx/zulip-include/localhost.d/*.conf; } <% end -%>