puppet: Add support for changing the nginx port directly.

This provides a clean process for changing Zulip's nginx port.

docs/production/deployment.md

@@ -71,6 +71,31 @@ degraded experience.  Zulip let you choose one of two
 Neither is available in Amazon RDS.  As a result, if you use one of
 those providers, Zulip's full-text search will be unavailable.
 
+## Using an alternate port
+
+If you'd like your Zulip server to use an HTTPS port other than 443, you can
+configure that as follows:
+
+1. Edit `EXTERNAL_HOST` in `/etc/zulip/settings.py`, which controls how
+   the Zulip server reports its own URL, and restart the Zulip server
+   with `/home/zulip/deployments/current/scripts/restart-server`.
+1. Add the following block to `/etc/zulip/zulip.conf`:
+
+    ```
+    [application_server]
+    nginx_listen_port = 12345
+    ```
+
+1. As root, run
+  `/home/zulip/deployments/current/scripts/zulip-puppet-apply`.  This
+  will convert Zulip's main `nginx` configuration file to use your new
+  port.
+
+We also have documentation for a Zulip server [using HTTP][using-http] for use
+behind reverse proxies.
+
+[using-http]: ../production/deployment.html#configuring-zulip-to-allow-http
+
 ## Putting the Zulip application behind a reverse proxy
 
 Zulip is designed to support being run behind a reverse proxy server.

docs/production/requirements.md

@@ -77,9 +77,10 @@ https://help.ubuntu.com/community/Repositories/Ubuntu
 #### Network and Security Specifications
 
 * Incoming HTTPS access (usually port 443, though this is
-  configurable) from the networks where your users are (usually, the
+  [configurable](../production/deployment.html#using-an-alternate-port))
-  public Internet).  If you also open port 80, Zulip will redirect
+  from the networks where your users are (usually, the public
-  users to HTTPS rather than not working when users type
+  Internet).  If you also open port 80, Zulip will redirect users to
+  HTTPS rather than not working when users type
   e.g. `http://zulip.example.com` in their browser.  If you are using
   Zulip's [incoming email integration][email-mirror-code] you may also
   need incoming port 25 open.

puppet/zulip/manifests/app_frontend.pp

@@ -5,6 +5,7 @@ class zulip::app_frontend {
   include zulip::app_frontend_once
 
   $nginx_http_only = zulipconf('application_server', 'http_only', undef)
+  $nginx_listen_port = zulipconf('application_server', 'nginx_listen_port', 443)
   $no_serve_uploads = zulipconf('application_server', 'no_serve_uploads', undef)
   $ssl_dir = $::osfamily ? {
     'debian' => '/etc/ssl',

puppet/zulip/templates/nginx/zulip-enterprise.template.erb

@@ -14,8 +14,8 @@ server {
     listen 80;
     listen [::]:80;
 <% else -%>
-    listen 443;
+    listen <%= @nginx_listen_port %>;
-    listen [::]:443;
+    listen [::]:<%= @nginx_listen_port %>;
 
     ssl on;
     ssl_certificate <%= @ssl_dir %>/certs/zulip.combined-chain.crt;