Modify nginx config to let /uploads go through to unicorn.

eb210f4a · Douwe Maan · 6b0199ff · eb210f4a · eb210f4a
Commit eb210f4a authored Feb 20, 2015 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 37 deletions

lib/support/nginx/gitlab lib/support/nginx/gitlab +23 -18

lib/support/nginx/gitlab-ssl lib/support/nginx/gitlab-ssl +24 -19

No files found.
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
@@ -50,31 +50,36 @@ server {
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
+  ## If you use HTTPS make sure you disable gzip compression
+  ## to be safe against BREACH attack.
+  # gzip off;
+  ## https://github.com/gitlabhq/gitlabhq/issues/694
+  ## Some requests take more than 30 seconds.
+  proxy_read_timeout      300;
+  proxy_connect_timeout   300;
+  proxy_redirect          off;
+  proxy_set_header    Host                $http_host;
+  proxy_set_header    X-Real-IP           $remote_addr;
+  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Forwarded-Proto   $scheme;
+  proxy_set_header    X-Frame-Options     SAMEORIGIN;
  location / {
    ## Serve static files from defined root folder.
    ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri $uri/index.html $uri.html @gitlab;
  }
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
+    proxy_pass http://gitlab;
+  }
  ## If a file, which is not found in the root folder is requested,
  ## then the proxy passes the request to the upsteam (gitlab unicorn).
  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    # gzip off;
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
    proxy_pass http://gitlab;
  }
@@ -84,7 +89,7 @@ server {
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
+    gzip on;
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;

--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
@@ -94,6 +94,23 @@ server {
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
+  ## If you use HTTPS make sure you disable gzip compression
+  ## to be safe against BREACH attack.
+  gzip off;
+  ## https://github.com/gitlabhq/gitlabhq/issues/694
+  ## Some requests take more than 30 seconds.
+  proxy_read_timeout      300;
+  proxy_connect_timeout   300;
+  proxy_redirect          off;
+  proxy_set_header    Host                $http_host;
+  proxy_set_header    X-Real-IP           $remote_addr;
+  proxy_set_header    X-Forwarded-Ssl     on;
+  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Forwarded-Proto   $scheme;
+  proxy_set_header    X-Frame-Options     SAMEORIGIN;
  location / {
    ## Serve static files from defined root folder.
@@ -101,26 +118,14 @@ server {
    try_files $uri $uri/index.html $uri.html @gitlab;
  }
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
+    proxy_pass http://gitlab;
+  }
  ## If a file, which is not found in the root folder is requested,
  ## then the proxy passes the request to the upsteam (gitlab unicorn).
  location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    gzip off;
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-Ssl     on;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
    proxy_pass http://gitlab;
  }
@@ -130,7 +135,7 @@ server {
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
+    gzip on;
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;