zulip/puppet/zulip_ops/files/nginx/sites-available/loadbalancer

upstream staging {
    server staging0.zulipchat.net:443;

    keepalive 10000;
}

upstream prod {
    server prod0.zulipchat.net:443;

    keepalive 10000;
}

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    # The listen needs to be `www.zulipstaging.com` since bare zulipstaging.com
    # is not a CNAME and thus has the public IP inside EC2
    listen www.zulipstaging.com:443;
    server_name zulipstaging.com *.zulipstaging.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/wildcard-zulipstaging.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/wildcard-zulipstaging.com.key;

    location / {
        proxy_pass https://staging/;
        include /etc/nginx/zulip-include/proxy;
    }

    location /sockjs {
        proxy_pass https://staging;
        include /etc/nginx/zulip-include/location-sockjs;
    }

    # We don't need /api/v1/events/internal, because that doesn't go through the loadbalancer.
    location ~ /json/events|/api/v1/events {
        proxy_pass https://staging;
        include /etc/nginx/zulip-include/proxy_longpolling;
    }

    include /etc/nginx/zulip-include/certbot;
}

server {
    # The listen needs to be `www.zulipchat.com` since bare zulipchat.com
    # is not a CNAME and thus has the public IP inside EC2
    listen www.zulipchat.com:443 default_server;
    server_name zulipchat.com *.zulipchat.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/wildcard-zulipchat.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/wildcard-zulipchat.com.key;

    location / {
        proxy_pass https://prod;
        include /etc/nginx/zulip-include/proxy;
    }

    location /sockjs {
        proxy_pass https://prod;
        include /etc/nginx/zulip-include/location-sockjs;
    }

    location ~ /json/events|/api/v1/events {
        proxy_pass https://prod;
        include /etc/nginx/zulip-include/proxy_longpolling;
    }

    include /etc/nginx/zulip-include/certbot;
}

server {
    listen uploads.zulipusercontent.net:443;
    server_name uploads.zulipusercontent.net;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/uploads.zulipusercontent.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/uploads.zulipusercontent.net/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:9292;
        include /etc/nginx/zulip-include/proxy;
    }

    include /etc/nginx/zulip-include/certbot;
}
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`upstream staging {`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`server staging0.zulipchat.net:443;`
nginx: Enable keepalive for communication between lbs and frontends. (imported from commit a7c8d9dfefbb6e5d01c8050688d831787b31bbd4) 2013-12-05 22:27:36 +01:00
			`keepalive 10000;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`

			`upstream prod {`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`server prod0.zulipchat.net:443;`
nginx: Enable keepalive for communication between lbs and frontends. (imported from commit a7c8d9dfefbb6e5d01c8050688d831787b31bbd4) 2013-12-05 22:27:36 +01:00
			`keepalive 10000;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`

			`server {`
			`listen 80;`
			`return 301 https://$host$request_uri;`
			`}`

			`server {`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			# The listen needs to be `www.zulipstaging.com` since bare zulipstaging.com
			`# is not a CNAME and thus has the public IP inside EC2`
			`listen www.zulipstaging.com:443;`
			`server_name zulipstaging.com *.zulipstaging.com;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00
			`ssl on;`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`ssl_certificate /etc/ssl/certs/wildcard-zulipstaging.com.combined-chain.crt;`
			`ssl_certificate_key /etc/ssl/private/wildcard-zulipstaging.com.key;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00
			`location / {`
			`proxy_pass https://staging/;`
nginx: Clean up now-empty 'loadbalancer' include file. (imported from commit d13b5d91f6b85ba3e0bef7728985d0eba1cae084) 2013-12-03 23:28:22 +01:00			`include /etc/nginx/zulip-include/proxy;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`
puppet: Add nginx configuration for websockets support (imported from commit 9c64a5835d25701c7e1bacca64b3900b68cb138c) 2013-09-25 17:02:46 +02:00
			`location /sockjs {`
			`proxy_pass https://staging;`
			`include /etc/nginx/zulip-include/location-sockjs;`
			`}`
nginx: Use the longpolling proxy configuration on load balancers. (imported from commit f590e6b1eec2856b5128e310797f8ba58846417a) 2013-12-03 23:19:04 +01:00
api: Stop using API keys for Django->Tornado authentication. As part of our effort to change the data model away from each user having a single API key, we're eliminating the couple requests that were made from Django to Tornado (as part of a /register or home request) where we used the user's API key grabbed from the database for authentication. Instead, we use the (already existing) internal_notify_view authentication mechanism, which uses the SHARED_SECRET setting for security, for these requests, and just fetch the user object using get_user_profile_by_id directly. Tweaked by Yago to include the new /api/v1/events/internal endpoint in the exempt_patterns list in test_helpers, since it's an endpoint we call through Tornado. Also added a couple missing return type annotations. 2018-07-13 12:58:16 +02:00			`# We don't need /api/v1/events/internal, because that doesn't go through the loadbalancer.`
Remove now-unused /json/get_events endpoint. 2016-10-19 02:51:19 +02:00			`location ~ /json/events\|/api/v1/events {`
Fix incorrect proxy_pass location for staging longpolling. (imported from commit a4ac2c5c3416a8d8f748237411df6235f237e893) 2013-12-07 13:57:59 +01:00			`proxy_pass https://staging;`
nginx: Use the longpolling proxy configuration on load balancers. (imported from commit f590e6b1eec2856b5128e310797f8ba58846417a) 2013-12-03 23:19:04 +01:00			`include /etc/nginx/zulip-include/proxy_longpolling;`
			`}`
certbot: Modify nginx configuration to support automated renewal. 2017-11-03 23:01:11 +01:00
			`include /etc/nginx/zulip-include/certbot;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`

			`server {`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			# The listen needs to be `www.zulipchat.com` since bare zulipchat.com
			`# is not a CNAME and thus has the public IP inside EC2`
			`listen www.zulipchat.com:443 default_server;`
			`server_name zulipchat.com *.zulipchat.com;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00
			`ssl on;`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`ssl_certificate /etc/ssl/certs/wildcard-zulipchat.com.combined-chain.crt;`
			`ssl_certificate_key /etc/ssl/private/wildcard-zulipchat.com.key;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00
			`location / {`
nginx: Get rid of trailing / in loadbalancer proxy_pass directives. The trailing "/" actually means "replace the location with /", which is either useless or actively harmful, depending on the location. (imported from commit 58b9c4c9e55e3a162ffce49c954bc2182ec57dde) 2013-12-04 17:26:47 +01:00			`proxy_pass https://prod;`
nginx: Clean up now-empty 'loadbalancer' include file. (imported from commit d13b5d91f6b85ba3e0bef7728985d0eba1cae084) 2013-12-03 23:28:22 +01:00			`include /etc/nginx/zulip-include/proxy;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`
puppet: Add nginx configuration for websockets support (imported from commit 9c64a5835d25701c7e1bacca64b3900b68cb138c) 2013-09-25 17:02:46 +02:00
			`location /sockjs {`
			`proxy_pass https://prod;`
			`include /etc/nginx/zulip-include/location-sockjs;`
			`}`
nginx: Use the longpolling proxy configuration on load balancers. (imported from commit f590e6b1eec2856b5128e310797f8ba58846417a) 2013-12-03 23:19:04 +01:00
Remove now-unused /json/get_events endpoint. 2016-10-19 02:51:19 +02:00			`location ~ /json/events\|/api/v1/events {`
nginx: Get rid of trailing / in loadbalancer proxy_pass directives. The trailing "/" actually means "replace the location with /", which is either useless or actively harmful, depending on the location. (imported from commit 58b9c4c9e55e3a162ffce49c954bc2182ec57dde) 2013-12-04 17:26:47 +01:00			`proxy_pass https://prod;`
nginx: Use the longpolling proxy configuration on load balancers. (imported from commit f590e6b1eec2856b5128e310797f8ba58846417a) 2013-12-03 23:19:04 +01:00			`include /etc/nginx/zulip-include/proxy_longpolling;`
			`}`
certbot: Modify nginx configuration to support automated renewal. 2017-11-03 23:01:11 +01:00
			`include /etc/nginx/zulip-include/certbot;`
Puppet configuration and associated nginx files for lb0.zulip.net. lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic is in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2) 2013-07-14 05:58:46 +02:00			`}`

puppet: Run GitHub Camo on lb0 for external-content.zulipcdn.net. (imported from commit c03f2018fee1d88b747f45fc7841949f61e5c06c) 2013-09-04 21:57:31 +02:00			`server {`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`listen uploads.zulipusercontent.net:443;`
			`server_name uploads.zulipusercontent.net;`
puppet: Run GitHub Camo on lb0 for external-content.zulipcdn.net. (imported from commit c03f2018fee1d88b747f45fc7841949f61e5c06c) 2013-09-04 21:57:31 +02:00
			`ssl on;`
puppet: Modify lb0 nginx configuration. 2016-07-21 07:05:17 +02:00			`ssl_certificate /etc/letsencrypt/live/uploads.zulipusercontent.net/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/uploads.zulipusercontent.net/privkey.pem;`
puppet: Run GitHub Camo on lb0 for external-content.zulipcdn.net. (imported from commit c03f2018fee1d88b747f45fc7841949f61e5c06c) 2013-09-04 21:57:31 +02:00
			`location / {`
nginx: Get rid of trailing / in loadbalancer proxy_pass directives. The trailing "/" actually means "replace the location with /", which is either useless or actively harmful, depending on the location. (imported from commit 58b9c4c9e55e3a162ffce49c954bc2182ec57dde) 2013-12-04 17:26:47 +01:00			`proxy_pass http://127.0.0.1:9292;`
nginx: Move common proxy configuration into an include file. (imported from commit 2ee5afc74fe146f8ee98f18f846342351c61c7f0) 2013-12-03 23:10:05 +01:00			`include /etc/nginx/zulip-include/proxy;`
puppet: Run GitHub Camo on lb0 for external-content.zulipcdn.net. (imported from commit c03f2018fee1d88b747f45fc7841949f61e5c06c) 2013-09-04 21:57:31 +02:00			`}`
certbot: Modify nginx configuration to support automated renewal. 2017-11-03 23:01:11 +01:00
			`include /etc/nginx/zulip-include/certbot;`
puppet: Run GitHub Camo on lb0 for external-content.zulipcdn.net. (imported from commit c03f2018fee1d88b747f45fc7841949f61e5c06c) 2013-09-04 21:57:31 +02:00			`}`