nginx.conf

server {
  listen 80;
  server_name ggg.ashmanov.com;
  server_tokens off;

  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  # запросы acme-challenge
  location ~ ^/\.well-known/acme-challenge/([a-zA-Z0-9_-]*)$ {
      default_type "text/plain";
      alias /var/cache/acme/challenges/$1;
  }
  
  # остальные запросы 
  location / {
    return 301 https://$server_name$request_uri;
  }
}

server {
  listen 443 ssl;
  server_name ggg.ashmanov.com;
  server_tokens off;

  access_log  /var/log/nginx/gitlab_ssl_access.log;
  error_log   /var/log/nginx/gitlab_ssl_error.log;

  ssl_certificate     /var/cache/acme/site.crt;
  ssl_certificate_key /var/cache/acme/site.key;

  # простейшая защита от XSS 
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options DENY;

  if ($http_host != $server_name) {
      return 301 https://$server_name$request_uri;
  }

  include gitlab.conf;
}