I recently installed Gogs from source on a digital ocean droplet / debian 9.6. Everything went smoothly, Gogs is truly amazing. I encountered one little glitch when using GO 1.10… I had to use GO 1.9.6. but this is not the point of my message.
One thing I noticed is that, using an apache2 reverse proxy for https, the Gogs instance on port 3000 remains visible.
I think I could fix it using the debian firewall but is there a way the “use https option” built-in with Gogs can restrict the unencrypted usage to localhost?
Also, I would suggest you create a “Security” category on this forum