Modify nginx config to let /uploads go through to unicorn.

2 files changed, 47 insertions, 37 deletions

diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab
index c8b769ace8e..a4f0b973e3c 100644
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@@ -1,5 +1,5 @@
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
@@ -50,31 +50,36 @@ server {
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
 
+  ## If you use HTTPS make sure you disable gzip compression
+  ## to be safe against BREACH attack.
+  # gzip off;
+
+  ## https://github.com/gitlabhq/gitlabhq/issues/694
+  ## Some requests take more than 30 seconds.
+  proxy_read_timeout      300;
+  proxy_connect_timeout   300;
+  proxy_redirect          off;
+
+  proxy_set_header    Host                $http_host;
+  proxy_set_header    X-Real-IP           $remote_addr;
+  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Forwarded-Proto   $scheme;
+  proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
   location / {
     ## Serve static files from defined root folder.
     ## @gitlab is a named location for the upstream fallback, see below.
     try_files $uri $uri/index.html $uri.html @gitlab;
   }
 
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
+    proxy_pass http://gitlab;
+  }
+
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    # gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
     proxy_pass http://gitlab;
   }
 
@@ -84,7 +89,7 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
+    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index 19af010a9f7..4c88107ce0e 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -1,5 +1,5 @@
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
@@ -94,6 +94,23 @@ server {
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
+  
+  ## If you use HTTPS make sure you disable gzip compression
+  ## to be safe against BREACH attack.
+  gzip off;
+
+  ## https://github.com/gitlabhq/gitlabhq/issues/694
+  ## Some requests take more than 30 seconds.
+  proxy_read_timeout      300;
+  proxy_connect_timeout   300;
+  proxy_redirect          off;
+
+  proxy_set_header    Host                $http_host;
+  proxy_set_header    X-Real-IP           $remote_addr;
+  proxy_set_header    X-Forwarded-Ssl     on;
+  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Forwarded-Proto   $scheme;
+  proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
   location / {
     ## Serve static files from defined root folder.
@@ -101,26 +118,14 @@ server {
     try_files $uri $uri/index.html $uri.html @gitlab;
   }
 
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
+    proxy_pass http://gitlab;
+  }
+
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    gzip off;
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      300;
-    proxy_connect_timeout   300;
-    proxy_redirect          off;
-
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    proxy_set_header    X-Forwarded-Ssl     on;
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
-    proxy_set_header    X-Frame-Options     SAMEORIGIN;
-
     proxy_pass http://gitlab;
   }
 
@@ -130,7 +135,7 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    root /home/git/gitlab/public;
+    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;