Make changes to nginx config less likely to break something.

doc/update/6.x-or-7.x-to-7.8.md

@@ -180,7 +180,7 @@ sudo cp lib/support/logrotate/gitlab /etc/logrotate.d/gitlab
 
 * HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-8-stable/lib/support/nginx/gitlab but with your settings.
 * HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-8-stablef/lib/support/nginx/gitlab-ssl but with your settings.
-* Take special note of the `location /uploads/` section that has been added, the directives from `# gzip off;` up to `proxy_set_header X-Frame-Options SAMEORIGIN;` that have been moved from `location @gitlab` to `server`, and the `gzip on;` directive that has been added to `location ~ ^/(assets)/`.
+* A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
 
 ## 9. Start application
 

doc/update/7.7-to-7.8.md

@@ -77,7 +77,7 @@ git diff origin/7-6-stable:config/gitlab.yml.example origin/7-8-stable:config/gi
 
 * HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as [`lib/support/nginx/gitlab`](/lib/support/nginx/gitlab) but with your settings.
 * HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as [`lib/support/nginx/gitlab-ssl`](/lib/support/nginx/gitlab-ssl) but with your settings.
-* Take special note of the `location /uploads/` section that has been added, the directives from `# gzip off;` up to `proxy_set_header X-Frame-Options SAMEORIGIN;` that have been moved from `location @gitlab` to `server`, and the `gzip on;` directive that has been added to `location ~ ^/(assets)/`.
+* A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
 
 #### Setup time zone (optional)
 

lib/support/nginx/gitlab

@@ -50,6 +50,14 @@ server {
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
 
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
     # gzip off;
@@ -66,20 +74,28 @@ server {
     proxy_set_header    X-Forwarded-Proto   $scheme;
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
-  location / {
-    ## Serve static files from defined root folder.
-    ## @gitlab is a named location for the upstream fallback, see below.
-    try_files $uri $uri/index.html $uri.html @gitlab;
-  }
-
-  ## We route uploads through GitLab to prevent XSS and enforce access control.
-  location /uploads/ {
     proxy_pass http://gitlab;
   }
 
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
@@ -89,7 +105,6 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;

lib/support/nginx/gitlab-ssl

@@ -95,6 +95,14 @@ server {
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
 
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
     gzip off;
@@ -112,20 +120,29 @@ server {
     proxy_set_header    X-Forwarded-Proto   $scheme;
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
-  location / {
-    ## Serve static files from defined root folder.
-    ## @gitlab is a named location for the upstream fallback, see below.
-    try_files $uri $uri/index.html $uri.html @gitlab;
-  }
-
-  ## We route uploads through GitLab to prevent XSS and enforce access control.
-  location /uploads/ {
     proxy_pass http://gitlab;
   }
 
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
@@ -135,7 +152,6 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;