Make changes to nginx config less likely to break something.

doc/update/6.x-or-7.x-to-7.8.md

@@ -180,7 +180,7 @@ sudo cp lib/support/logrotate/gitlab /etc/logrotate.d/gitlab
 
 * HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-8-stable/lib/support/nginx/gitlab but with your settings.
 * HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-8-stablef/lib/support/nginx/gitlab-ssl but with your settings.
-* Take special note of the `location /uploads/` section that has been added, the directives from `# gzip off;` up to `proxy_set_header X-Frame-Options SAMEORIGIN;` that have been moved from `location @gitlab` to `server`, and the `gzip on;` directive that has been added to `location ~ ^/(assets)/`.
+* A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
 
 ## 9. Start application
 

doc/update/7.7-to-7.8.md

@@ -77,7 +77,7 @@ git diff origin/7-6-stable:config/gitlab.yml.example origin/7-8-stable:config/gi
 
 * HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as [`lib/support/nginx/gitlab`](/lib/support/nginx/gitlab) but with your settings.
 * HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as [`lib/support/nginx/gitlab-ssl`](/lib/support/nginx/gitlab-ssl) but with your settings.
-* Take special note of the `location /uploads/` section that has been added, the directives from `# gzip off;` up to `proxy_set_header X-Frame-Options SAMEORIGIN;` that have been moved from `location @gitlab` to `server`, and the `gzip on;` directive that has been added to `location ~ ^/(assets)/`.
+* A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
 
 #### Setup time zone (optional)
 

lib/support/nginx/gitlab

@@ -50,22 +50,6 @@ server {
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
 
-  ## If you use HTTPS make sure you disable gzip compression
-  ## to be safe against BREACH attack.
-  # gzip off;
-
-  ## https://github.com/gitlabhq/gitlabhq/issues/694
-  ## Some requests take more than 30 seconds.
-  proxy_read_timeout      300;
-  proxy_connect_timeout   300;
-  proxy_redirect          off;
-
-  proxy_set_header    Host                $http_host;
-  proxy_set_header    X-Real-IP           $remote_addr;
-  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto   $scheme;
-  proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
   location / {
     ## Serve static files from defined root folder.
     ## @gitlab is a named location for the upstream fallback, see below.
@@ -74,12 +58,44 @@ server {
 
   ## We route uploads through GitLab to prevent XSS and enforce access control.
   location /uploads/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
@@ -89,7 +105,6 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;

lib/support/nginx/gitlab-ssl

@@ -94,23 +94,6 @@ server {
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
-  
-  ## If you use HTTPS make sure you disable gzip compression
-  ## to be safe against BREACH attack.
-  gzip off;
-
-  ## https://github.com/gitlabhq/gitlabhq/issues/694
-  ## Some requests take more than 30 seconds.
-  proxy_read_timeout      300;
-  proxy_connect_timeout   300;
-  proxy_redirect          off;
-
-  proxy_set_header    Host                $http_host;
-  proxy_set_header    X-Real-IP           $remote_addr;
-  proxy_set_header    X-Forwarded-Ssl     on;
-  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto   $scheme;
-  proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
   location / {
     ## Serve static files from defined root folder.
@@ -120,12 +103,46 @@ server {
 
   ## We route uploads through GitLab to prevent XSS and enforce access control.
   location /uploads/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
@@ -135,7 +152,6 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;