upstream gitlab-workhorse {
  server 'unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket' fail_timeout=0;
}

map $http_upgrade $connection_upgrade_gitlab_ssl {
  default upgrade;
  '' close;
}

map $request_uri $gitlab_ssl_temp_request_uri_1 {
  default $request_uri;
  ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
  default $gitlab_ssl_temp_request_uri_1;
  ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
  default $gitlab_ssl_temp_request_uri_2;
  ~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

map $http_referer $gitlab_ssl_filtered_http_referer {
  default $http_referer;
  ~^(?<temp>.*)\? $temp;
}

server {
  listen 443 ssl;
  server_name 192.168.1.2;

  ssl_certificate '/etc/ssl/_ssc/gitlab.crt';
  ssl_certificate_key '/etc/ssl/_ssc/gitlab.key';

  access_log '/var/log/angie/gitlab.access.log';
  error_log '/var/log/angie/gitlab.error.log';

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_set_header 'Connection' $connection_upgrade_gitlab_ssl;
    proxy_set_header 'Host' $http_host;
    proxy_set_header 'Upgrade' $http_upgrade;
    proxy_set_header 'X-Forwarded-For' $proxy_add_x_forwarded_for;
    proxy_set_header 'X-Forwarded-Proto' $scheme;
    proxy_set_header 'X-Forwarded-Ssl' on;
    proxy_set_header 'X-Real-IP' $remote_addr;

    proxy_pass http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  error_page 503 /503.html;

  location ~ ^/(404|422|500|502|503)\.html$ {
    root '/opt/gitlab/embedded/service/gitlab-rails/public';
    internal;
  }
}