From 08874d2b51e71debac61659050ea577dffd89bf8 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 20 Feb 2015 23:27:17 +0100
Subject: Make changes to nginx config less likely to break something.

---
 lib/support/nginx/gitlab-ssl | 52 +++++++++++++++++++++++++++++---------------
 1 file changed, 34 insertions(+), 18 deletions(-)

(limited to 'lib/support/nginx/gitlab-ssl')

diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index 4c88107ce0e..73885e6c22a 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -94,23 +94,6 @@ server {
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
-  
-  ## If you use HTTPS make sure you disable gzip compression
-  ## to be safe against BREACH attack.
-  gzip off;
-
-  ## https://github.com/gitlabhq/gitlabhq/issues/694
-  ## Some requests take more than 30 seconds.
-  proxy_read_timeout      300;
-  proxy_connect_timeout   300;
-  proxy_redirect          off;
-
-  proxy_set_header    Host                $http_host;
-  proxy_set_header    X-Real-IP           $remote_addr;
-  proxy_set_header    X-Forwarded-Ssl     on;
-  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto   $scheme;
-  proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
   location / {
     ## Serve static files from defined root folder.
@@ -120,12 +103,46 @@ server {
 
   ## We route uploads through GitLab to prevent XSS and enforce access control.
   location /uploads/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
     proxy_pass http://gitlab;
   }
 
@@ -135,7 +152,6 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    gzip on;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;
-- 
cgit v1.2.1