diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml
index 54de1a5..ee4d371 100644
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@@ -1,3 +1,4 @@
+apache_default_ssl_vhost: false
 sshd_agent_forwarding: false
 sshd_tcp_forwarding: false
 sshd_x11_forwarding: false
diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index a4e6bc0..70383a9 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -11,3 +11,8 @@ gitea_http_domain: '{{ gitea_ssh_domain }}'
 gitea_root_url: 'http://{{ gitea_http_domain }}:3000/'
 gitea_webhook_allowed_host_list:
 - '*'
+
+gitea_ssl_certificate: >-
+  {{ apache_ssl_certificate }}
+gitea_ssl_certificate_key: >-
+  {{ apache_ssl_certificate_key }}
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index 3c8beda..da57f14 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -74,10 +74,10 @@
     enabled=yes
 
 - name: ensure apache is configured to proxy for gitea
-  copy:
-    src=gitea.httpd.conf
-    dest=/etc/httpd/conf.d/gitea.conf
-    mode=0644
+  template:
+    src: gitea.httpd.conf.j2
+    dest: /etc/httpd/conf.d/gitea.conf
+    mode: u=rw,go=r
   notify: reload httpd
 - name: ensure selinux allows apache to proxy for gitea
   seboolean:
diff --git a/roles/gitea/templates/gitea.httpd.conf.j2 b/roles/gitea/templates/gitea.httpd.conf.j2
new file mode 100644
index 0000000..90cd30b
--- /dev/null
+++ b/roles/gitea/templates/gitea.httpd.conf.j2
@@ -0,0 +1,25 @@
+# vim: set ft=apache :
+RewriteEngine on
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+
+<VirtualHost _default_:443>
+    ServerName {{ gitea_http_domain }}
+
+    SSLCertificateFile {{ gitea_ssl_certificate }}
+    SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
+    SSLCertificateChainFile {{ gitea_ssl_certificate }}
+
+    RewriteEngine On
+    RewriteCond %{HTTPS} !on
+    RewriteRule /.* https://%{SERVER_NAME}$0
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+    ProxyPass / http://localhost:3000/ nocanon
+    ProxyPassReverse / http://localhost:3000/
+    AllowEncodedSlashes NoDecode
+</VirtualHost>