upstream gitlab-workhorse {
	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
}

map $http_upgrade $connection_upgrade_gitlab_ssl {
	default upgrade;
	'' close;
}

log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';

map $request_uri $gitlab_ssl_temp_request_uri_1 {
	default $request_uri;
	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
	default $gitlab_ssl_temp_request_uri_1;
	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
	default $gitlab_ssl_temp_request_uri_2;
	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $http_referer $gitlab_ssl_filtered_http_referer {
	default $http_referer;
	~^(?<temp>.*)\? $temp;
}

boilerplate gitlab_common {
	real_ip_header X-Real-IP;
	real_ip_recursive off;
	
	access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access;
	error_log /var/log/nginx/gitlab_error.log;
	
	location / {
		client_max_body_size 0;
		gzip off;
		
		proxy_read_timeout 300;
		proxy_connect_timeout 300;
		proxy_redirect off;
		
		proxy_http_version 1.1;
		
		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade_gitlab;
		
		# proxy_pass http://gitlab-workhorse;
		proxy_pass http://localhost:8080;
	}
	
	error_page 404 /404.html;
	error_page 422 /422.html;
	error_page 500 /500.html;
	error_page 502 /502.html;
	error_page 503 /503.html;
	
	location ~ ^/(404|422|500|502|503)\.html$ {
		root /home/git/gitlab/public;
		internal;
	}
}

server {
	server_name {{var_gitlab_and_nginx_domain}};
	server_tokens off;
	
	listen 80 default_server;
	listen [::]:80 ipv6only=on default_server;
	
{% if (var_gitlab_and_nginx_tls == "force") %}
	return 301 https://$http_host$request_uri;
{% else %}
	invoke gitlab_common;
{% endif %}
}

{% if (var_gitlab_and_nginx_tls != "disable") %}
server {
	server_name {{var_gitlab_and_nginx_domain}};
	server_tokens off;
	
	listen 0.0.0.0:443 ssl http2;
	listen [::]:443 ipv6only=on ssl http2 default_server;
	
	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
	include /etc/nginx/ssl-hardening.conf;
	
	invoke gitlab_common;
}
{% endif %}