From 31455e8f77d47069da5740472620ec67ad114c7e Mon Sep 17 00:00:00 2001
From: RBO <drain@rbo.wf>
Date: Fri, 28 Feb 2025 17:50:10 +0100
Subject: [PATCH] update nginx patches for discourse 3.5.0

---
 templates/web.ssl.its.yml | 41 +++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

diff --git a/templates/web.ssl.its.yml b/templates/web.ssl.its.yml
index 2bb5f1e..cccb60d 100644
--- a/templates/web.ssl.its.yml
+++ b/templates/web.ssl.its.yml
@@ -2,6 +2,25 @@ run:
   - exec:
      cmd:
        - "mkdir -p /shared/ssl/"
+  - replace:
+     filename: "/etc/nginx/conf.d/discourse.conf"
+     from: /listen 80;\s+listen \[::\]:80;/m
+     to: |
+       listen 443 ssl;
+       listen [::]:443 ssl;
+       SSL_TEMPLATE_SSL_BLOCK
+  - replace:
+     filename: "/etc/nginx/conf.d/discourse.conf"
+     from: /listen 80;/m
+     to: |
+       listen 443 ssl;
+       listen [::]:443 ssl;
+       # ITS: Stuff for yxorp TLS-SNI support
+       listen 444 ssl proxy_protocol;
+       listen [::]:444 ssl proxy_protocol;
+       set_real_ip_from 2a01:4f8:10b:331f:0:ff:fe00:5;
+       real_ip_header proxy_protocol;
+       SSL_TEMPLATE_SSL_BLOCK
   - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server.+{/
@@ -11,30 +30,12 @@ run:
          return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
        }
        server {
-  - replace:
-     filename: "/etc/nginx/conf.d/discourse.conf"
-     from: /listen 80;\s+gzip on;/m
-     to: |
-       listen 443 ssl http2;
-       listen [::]:443 ssl http2;
-       # ITS: Stuff for yxorp TLS-SNI support
-       listen 444 ssl http2 proxy_protocol;
-       listen [::]:444 ssl http2 proxy_protocol;
-       set_real_ip_from 2a01:4f8:10b:331f:0:ff:fe00:5;
-       real_ip_header proxy_protocol;
-       SSL_TEMPLATE_SSL_BLOCK
-  - replace:
-     filename: "/etc/nginx/conf.d/discourse.conf"
-     from: /listen 80;\s+listen \[::\]:80;\s+gzip on;/m
-     to: |
-       listen 443 ssl http2;
-       listen [::]:443 ssl http2;
-       SSL_TEMPLATE_SSL_BLOCK
   - replace:
      hook: ssl
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /SSL_TEMPLATE_SSL_BLOCK/
      to: |
+       http2 on;
 
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@@ -47,8 +48,6 @@ run:
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:1m;
 
-       gzip on;
-
        add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain
 
        if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {