puppet: Add support for changing the nginx port directly.

This provides a clean process for changing Zulip's nginx port.
2019-06-17 12:16:34 -07:00 · 2019-06-17 12:16:34 -07:00 · 88b77af54f
parent efe5e53118
commit 88b77af54f
4 changed files with 32 additions and 5 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@ -71,6 +71,31 @@ degraded experience.  Zulip let you choose one of two
 Neither is available in Amazon RDS.  As a result, if you use one of
 those providers, Zulip's full-text search will be unavailable.

+## Using an alternate port
+
+If you'd like your Zulip server to use an HTTPS port other than 443, you can
+configure that as follows:
+
+1. Edit `EXTERNAL_HOST` in `/etc/zulip/settings.py`, which controls how
+   the Zulip server reports its own URL, and restart the Zulip server
+   with `/home/zulip/deployments/current/scripts/restart-server`.
+1. Add the following block to `/etc/zulip/zulip.conf`:
+
+    ```
+    [application_server]
+    nginx_listen_port = 12345
+    ```
+
+1. As root, run
+  `/home/zulip/deployments/current/scripts/zulip-puppet-apply`.  This
+  will convert Zulip's main `nginx` configuration file to use your new
+  port.
+
+We also have documentation for a Zulip server [using HTTP][using-http] for use
+behind reverse proxies.
+
+[using-http]: ../production/deployment.html#configuring-zulip-to-allow-http
+
 ## Putting the Zulip application behind a reverse proxy

 Zulip is designed to support being run behind a reverse proxy server.
--- a/docs/production/requirements.md
+++ b/docs/production/requirements.md
@ -77,9 +77,10 @@ https://help.ubuntu.com/community/Repositories/Ubuntu
 #### Network and Security Specifications

 * Incoming HTTPS access (usually port 443, though this is
-  configurable) from the networks where your users are (usually, the
-  public Internet).  If you also open port 80, Zulip will redirect
-  users to HTTPS rather than not working when users type
+  [configurable](../production/deployment.html#using-an-alternate-port))
+  from the networks where your users are (usually, the public
+  Internet).  If you also open port 80, Zulip will redirect users to
+  HTTPS rather than not working when users type
  e.g. `http://zulip.example.com` in their browser.  If you are using
  Zulip's [incoming email integration][email-mirror-code] you may also
  need incoming port 25 open.
--- a/puppet/zulip/manifests/app_frontend.pp
+++ b/puppet/zulip/manifests/app_frontend.pp
@ -5,6 +5,7 @@ class zulip::app_frontend {
  include zulip::app_frontend_once

  $nginx_http_only = zulipconf('application_server', 'http_only', undef)
+  $nginx_listen_port = zulipconf('application_server', 'nginx_listen_port', 443)
  $no_serve_uploads = zulipconf('application_server', 'no_serve_uploads', undef)
  $ssl_dir = $::osfamily ? {
    'debian' => '/etc/ssl',
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@ -14,8 +14,8 @@ server {
    listen 80;
    listen [::]:80;
 <% else -%>
-    listen 443;
-    listen [::]:443;
+    listen <%= @nginx_listen_port %>;
+    listen [::]:<%= @nginx_listen_port %>;

    ssl on;
    ssl_certificate <%= @ssl_dir %>/certs/zulip.combined-chain.crt;