From d4bc8d559faeea0b6285df065234813559f901ae Mon Sep 17 00:00:00 2001
From: Chris <github@gbe0.com>
Date: Mon, 30 May 2022 05:52:58 +0800
Subject: [PATCH] Add configuration option to allow the NGINX vhosts to listen
 for IPv6 connections in addition to IPv4 (#657)

---
 docs/docs/reference/configuration-file.md                   | 1 +
 omnibus/cookbooks/firezone/attributes/default.rb            | 3 +++
 omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb | 6 ++++++
 3 files changed, 10 insertions(+)

diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md
index 0dad1ebc8..65bc2bf91 100644
--- a/docs/docs/reference/configuration-file.md
+++ b/docs/docs/reference/configuration-file.md
@@ -95,6 +95,7 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['nginx']['rate_limiting_zone_name']`                     | Nginx rate limiting zone name.                                                                               | `'firezone'`                                                           |
 | `default['firezone']['nginx']['rate_limiting_backoff']`                       | Nginx rate limiting backoff.                                                                                 | `'10m'`                                                                |
 | `default['firezone']['nginx']['rate_limit']`                                  | Nginx rate limit.                                                                                            | `'10r/s'`                                                              |
+| `default['firezone']['nginx']['ipv6']`                                        | Allow nginx to listen for HTTP requests for IPv6 in addition to IPv4.                                        | `true`                                                                 |
 | `default['firezone']['postgresql']['enabled']`                                | Enable or disable bundled Postgresql. Set to `false` and fill in the `database` options below to use your own Postgresql instance. | `true`                                           |
 | `default['firezone']['postgresql']['username']`                               | Username for Postgresql.                                                                                     | `node['firezone']['user']`                                             |
 | `default['firezone']['postgresql']['data_directory']`                         | Postgresql data directory.                                                                                   | `"#{node['firezone']['var_directory']}/postgresql/13.3/data"`          |
diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
index 071cbab55..5fb6bd4c2 100644
--- a/omnibus/cookbooks/firezone/attributes/default.rb
+++ b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -152,6 +152,9 @@ default['firezone']['nginx']['log_rotation']['file_maxbytes'] = 104_857_600
 default['firezone']['nginx']['log_rotation']['num_to_keep'] = 10
 default['firezone']['nginx']['log_x_forwarded_for'] = false
 
+# Permit nginx to listen for IPv6 connections in addition to IPv4
+default['firezone']['nginx']['ipv6'] = true
+
 # Redirect to the FQDN
 default['firezone']['nginx']['redirect_to_canonical'] = false
 
diff --git a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
index 7adc4489c..68009292d 100644
--- a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
@@ -15,6 +15,9 @@ log_format cache '$remote_addr - [$time_local] "$request" $upstream_cache_status
 
 server {
   listen <%= @nginx['non_ssl_port'] %> default_server;
+<% if @nginx['ipv6'] -%>
+  listen [::]:<%= @nginx['non_ssl_port'] %> default_server;
+<% end -%>
   server_name <%= @fqdn %>;
 <% if @nginx['force_ssl'] -%>
   location / {
@@ -30,6 +33,9 @@ server {
 
 server {
   listen <%= @nginx['ssl_port'] %> default_server;
+<% if @nginx['ipv6'] -%>
+  listen [::]:<%= @nginx['ssl_port'] %> default_server;
+<% end -%>
   server_name <%= @fqdn %>;
 
 <%   if @ssl['enabled'] -%>