NGINX - Wrong HSTS redirect sequence

We are using GitLab Omnibus 12.5, have HSTS enabled and are using external_url in our /etc/gitlab/gitlab.rb:

external_url 'https://gitlab.example.com'

However we can reach GitLab by both external_url and the servers hostname. This is problematic for HSTS as the redirect sequence is wrong (we need to redirect HTTP to HTTPS on the same host first, cfr. https://hstspreload.org/ and https://serverfault.com/questions/930368/hsts-and-double-redirect/):

http://servername.example.com/ -> https://gitlab.example.com:443/ -> https://gitlab.example.com/users/sign_in

This should be:

http://servername.example.com/ -> https://servername.example.com/ -> https://gitlab.example.com:443/ -> https://gitlab.example.com/users/sign_in

To get this fixed, we updated /var/opt/gitlab/nginx/conf/gitlab-http.conf from

  location / {
    return 301 https://gitlab.example.com:443$request_uri;
  }

to

  location / {
    return 301 https://$host$request_uri;
  }

However, it looks like we can not make this persistent as the template is always inserting @fqdn:

  location / {
    return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  }

Three questions:

1. Does there is a way to prevent GitLab from being accessed by non using external_url URI's?
2. If not, can we fully disable HTTP traffic?
3. Shouldn't this being fixed in the template?