server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;                  
    server_name git.thelyoncompany.com;
    root /dev/null;

    # SSL
    ssl_certificate /etc/letsencrypt/live/thelyoncompany.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/thelyoncompany.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/thelyoncompany.com/fullchain.pem;
    ssl_dhparam /etc/nginx/dhparam.pem;

    ssl_client_certificate /etc/nginx/ssl/cloudflare.crt;
    ssl_verify_client on;

    # security headers
    add_header X-Frame-Options           "SAMEORIGIN";
    add_header X-XSS-Protection          "1; mode=block";
    add_header X-Content-Type-Options    "nosniff";
    add_header X-UA-Compatible           "IE=Edge";
    add_header Referrer-Policy           "no-referrer-when-downgrade";
    add_header Content-Security-Policy   "upgrade-insecure-requests";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    location / {
        proxy_pass http://localhost:3000;
        include    snippets/proxy.conf;
    }
}