From 129ea6dd111d59341ac87a0988a8e0950591d2c2 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Tue, 13 Oct 2020 16:53:28 -0700
Subject: [PATCH] nginx: Consistently listen on IPv6 and with HTTP/2.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 docs/production/deployment.md                            | 4 ++--
 .../zulip/templates/nginx/zulip-enterprise.template.erb  | 5 ++---
 puppet/zulip_ops/files/nginx/sites-available/zulip       | 4 ++--
 puppet/zulip_ops/files/nginx/sites-available/zulip-org   | 9 +++++----
 .../zulip_ops/files/nginx/sites-available/zulip-staging  | 5 +++--
 tools/droplets/zulipdev                                  | 5 +++--
 6 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/docs/production/deployment.md b/docs/production/deployment.md
index defd396c14..9ac79b926e 100644
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -272,10 +272,10 @@ For `nginx` configuration, there's two things you need to set up:
 
 ```
 server {
-        listen                  443 ssl;
+        listen                  443 ssl http2;
+        listen                  [::]:443 ssl http2;
         server_name             zulip.example.net;
 
-        ssl                     on;
         ssl_certificate         /path/to/fullchain-cert.pem;
         ssl_certificate_key     /path/to/private-key.pem;
 
diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
index 2e23d2654b..42565a9de6 100644
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -19,10 +19,9 @@ server {
     listen <%= @nginx_listen_port %>;
     listen [::]:<%= @nginx_listen_port %>;
 <% else -%>
-    listen <%= @nginx_listen_port %> http2;
-    listen [::]:<%= @nginx_listen_port %> http2;
+    listen <%= @nginx_listen_port %> ssl http2;
+    listen [::]:<%= @nginx_listen_port %> ssl http2;
 
-    ssl on;
     ssl_certificate <%= @ssl_dir %>/certs/zulip.combined-chain.crt;
     ssl_certificate_key <%= @ssl_dir %>/private/zulip.key;
 <% end -%>
diff --git a/puppet/zulip_ops/files/nginx/sites-available/zulip b/puppet/zulip_ops/files/nginx/sites-available/zulip
index e1cdaf410f..5de9a13d37 100644
--- a/puppet/zulip_ops/files/nginx/sites-available/zulip
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip
@@ -1,7 +1,8 @@
 include /etc/nginx/zulip-include/upstreams;
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     # This server is behind an ALB, which does not check the
     # certificate validity:
@@ -9,7 +10,6 @@ server {
     #
     # Snakeoil verts are good for 10 years after initial creation, but
     # the ALBs don't even check expiration. ¯\_(ツ)_/¯
-    ssl on;
     ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
     ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 
diff --git a/puppet/zulip_ops/files/nginx/sites-available/zulip-org b/puppet/zulip_ops/files/nginx/sites-available/zulip-org
index 9d1c54fd9d..09566aa973 100644
--- a/puppet/zulip_ops/files/nginx/sites-available/zulip-org
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip-org
@@ -1,13 +1,14 @@
 server {
     listen 80;
+    listen [::]:80;
     return 301 https://$host$request_uri;
 }
 
 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name zulip.org;
 
-    ssl on;
     ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;
 
@@ -22,10 +23,10 @@ server {
 }
 
 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name blog.zulip.org;
 
-    ssl on;
     ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;
 
diff --git a/puppet/zulip_ops/files/nginx/sites-available/zulip-staging b/puppet/zulip_ops/files/nginx/sites-available/zulip-staging
index 5fa081c42b..51da5e7efa 100644
--- a/puppet/zulip_ops/files/nginx/sites-available/zulip-staging
+++ b/puppet/zulip_ops/files/nginx/sites-available/zulip-staging
@@ -1,5 +1,6 @@
 server {
     listen 80;
+    listen [::]:80;
     server_name staging.zulip.com;
     return 301 https://$server_name$request_uri;
 }
@@ -7,9 +8,9 @@ server {
 include /etc/nginx/zulip-include/upstreams;
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
-    ssl on;
     ssl_certificate /etc/ssl/certs/staging.zulip.com.combined-chain.crt;
     ssl_certificate_key /etc/ssl/private/staging_and_dev.humbughq.com.key;
 
diff --git a/tools/droplets/zulipdev b/tools/droplets/zulipdev
index 0e669398c4..0c37e0e80f 100644
--- a/tools/droplets/zulipdev
+++ b/tools/droplets/zulipdev
@@ -1,12 +1,13 @@
 server {
     listen 80;
+    listen [::]:80;
     return 301 https://$host$request_uri;
 }
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
-    ssl on;
     ssl_certificate /etc/ssl/certs/zulip.combined-chain.crt;
     ssl_certificate_key /etc/ssl/private/zulip.key;