nginx: Consistently listen on IPv6 and with HTTP/2.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

docs/production/deployment.md

@@ -272,10 +272,10 @@ For `nginx` configuration, there's two things you need to set up:
 
 ```
 server {
-        listen                  443 ssl;
+        listen                  443 ssl http2;
+        listen                  [::]:443 ssl http2;
         server_name             zulip.example.net;
 
-        ssl                     on;
         ssl_certificate         /path/to/fullchain-cert.pem;
         ssl_certificate_key     /path/to/private-key.pem;
 

puppet/zulip/templates/nginx/zulip-enterprise.template.erb

@@ -19,10 +19,9 @@ server {
     listen <%= @nginx_listen_port %>;
     listen [::]:<%= @nginx_listen_port %>;
 <% else -%>
-    listen <%= @nginx_listen_port %> http2;
+    listen <%= @nginx_listen_port %> ssl http2;
-    listen [::]:<%= @nginx_listen_port %> http2;
+    listen [::]:<%= @nginx_listen_port %> ssl http2;
 
-    ssl on;
     ssl_certificate <%= @ssl_dir %>/certs/zulip.combined-chain.crt;
     ssl_certificate_key <%= @ssl_dir %>/private/zulip.key;
 <% end -%>

puppet/zulip_ops/files/nginx/sites-available/zulip

@@ -1,7 +1,8 @@
 include /etc/nginx/zulip-include/upstreams;
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     # This server is behind an ALB, which does not check the
     # certificate validity:
@@ -9,7 +10,6 @@ server {
     #
     # Snakeoil verts are good for 10 years after initial creation, but
     # the ALBs don't even check expiration. ¯\_(ツ)_/¯
-    ssl on;
     ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
     ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 

puppet/zulip_ops/files/nginx/sites-available/zulip-org

@@ -1,13 +1,14 @@
 server {
     listen 80;
+    listen [::]:80;
     return 301 https://$host$request_uri;
 }
 
 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name zulip.org;
 
-    ssl on;
     ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;
 
@@ -22,10 +23,10 @@ server {
 }
 
 server {
-    listen 443 http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name blog.zulip.org;
 
-    ssl on;
     ssl_certificate /etc/letsencrypt/live/zulip.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/zulip.org/privkey.pem;
 

puppet/zulip_ops/files/nginx/sites-available/zulip-staging

@@ -1,5 +1,6 @@
 server {
     listen 80;
+    listen [::]:80;
     server_name staging.zulip.com;
     return 301 https://$server_name$request_uri;
 }
@@ -7,9 +8,9 @@ server {
 include /etc/nginx/zulip-include/upstreams;
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
-    ssl on;
     ssl_certificate /etc/ssl/certs/staging.zulip.com.combined-chain.crt;
     ssl_certificate_key /etc/ssl/private/staging_and_dev.humbughq.com.key;
 

tools/droplets/zulipdev

@@ -1,12 +1,13 @@
 server {
     listen 80;
+    listen [::]:80;
     return 301 https://$host$request_uri;
 }
 
 server {
-    listen 443;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
-    ssl on;
     ssl_certificate /etc/ssl/certs/zulip.combined-chain.crt;
     ssl_certificate_key /etc/ssl/private/zulip.key;