I’d just keep the reverse proxy to localhost, so we stay flexible and can do cert settings in httpd via web UI.
Sorry, it wasn’t clear from my statement.
And i was not so clear too:
I ment: what if someone opens the port to red/green ? And sends password etc unencrypted, should we take measures to this mall-configuration and use https://::5321 ? may be done conditional…
An option to prevent this would be to enforce the db prop value with a force/ db entry. For me documenting it it’s more than enough (…service runs on localhost and iiss accessible through a reverse proxy. Changing service access is discouraged and can lead to security issues or unexpected behaviour).
https can have a little performance penalty.
Don’t know, could a vulnerable service sniff or ex-filtrate traffic from another one?
Use the default (localhost) certificate in apache configuration
Examine if the gitea daemon really needs a certificate , if possible drop it (love to do it KISS )
Clarify documentation regarding keeping access for the service on the localhost - or - enforce db entry (first thought/feeling is the documentation option)
EDIT
Turns out we do not need a certificate for the daemon aslong the deamon uses http.
(resulting commit)