From efd6bc8ccbd9057c04d909ff48ecf8b704cae3ff Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Tue, 4 Feb 2025 20:01:48 +0000
Subject: [PATCH] FIX: web.ssl.template compat with latest core (#938)

https://github.com/discourse/discourse/commit/649505d869ff7a04d894fb2322428d0cfb82100e added some new content between `listen 80;` and `gzip on;`, which broke these replacements.

This commit reorders & updates the replacements so that they should work reliably with versions of core before and after that change.
---
 templates/web.ssl.template.yml | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
index cc6a66f..06c3514 100644
--- a/templates/web.ssl.template.yml
+++ b/templates/web.ssl.template.yml
@@ -4,26 +4,17 @@ run:
        - "mkdir -p /shared/ssl/"
   - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
-     from: /server.+{/
-     to: |
-       server {
-         listen 80;
-         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
-       }
-       server {
-  - replace:
-     filename: "/etc/nginx/conf.d/discourse.conf"
-     from: /listen 80;\s+gzip on;/m
+     from: /listen 80;\s+listen \[::\]:80;/m
      to: |
        listen 443 ssl;
+       listen [::]:443 ssl;
        http2 on;
        SSL_TEMPLATE_SSL_BLOCK
   - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
-     from: /listen 80;\s+listen \[::\]:80;\s+gzip on;/m
+     from: /listen 80;/
      to: |
        listen 443 ssl;
-       listen [::]:443 ssl;
        http2 on;
        SSL_TEMPLATE_SSL_BLOCK
   - replace:
@@ -43,8 +34,6 @@ run:
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:1m;
 
-       gzip on;
-
        add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain
 
        if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
@@ -56,3 +45,12 @@ run:
      to: |
        location @discourse {
        add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain
+  - replace:
+     filename: "/etc/nginx/conf.d/discourse.conf"
+     from: /server.+{/
+     to: |
+       server {
+         listen 80;
+         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
+       }
+       server {