upstream gitlabce {
	server gitlabce-service-dockerbunker:80;
}

server {
	listen 80;
	server_name ${SERVICE_DOMAIN};
	return 301 https://$host$request_uri;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Frame-Options "DENY" always;
	add_header Referrer-Policy "strict-origin" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	server_tokens off;
}

server {
	listen 443;
	server_name ${SERVICE_DOMAIN};
	ssl on;
	ssl_certificate /etc/nginx/ssl/${SERVICE_DOMAIN}/cert.pem;
	ssl_certificate_key /etc/nginx/ssl/${SERVICE_DOMAIN}/key.pem;
	include /etc/nginx/includes/ssl.conf;

	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Frame-Options "DENY" always;
	add_header Referrer-Policy "strict-origin" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	server_tokens off;

	include /etc/nginx/includes/gzip.conf;

	location / {
		proxy_pass http://gitlabce/;
		proxy_set_header  Host			  $http_host;   # required for docker client's sake
		proxy_set_header  X-Real-IP		 $remote_addr; # pass on real client's IP
		proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header  X-Forwarded-Proto $scheme;
		proxy_read_timeout				  900;
	}

	location ~ /.well-known {
		allow all;
		root /var/www/html;
	}
}