diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index 37b9b44..d0791c1 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -79,6 +79,8 @@
     dest: /etc/httpd/conf.d/gitea.conf
     mode: u=rw,go=r
   notify: reload httpd
+  tags:
+  - apache
 - name: ensure selinux allows apache to proxy for gitea
   seboolean:
     name=httpd_can_network_connect
diff --git a/roles/gitea/templates/gitea.httpd.conf.j2 b/roles/gitea/templates/gitea.httpd.conf.j2
index 90cd30b..dd0044f 100644
--- a/roles/gitea/templates/gitea.httpd.conf.j2
+++ b/roles/gitea/templates/gitea.httpd.conf.j2
@@ -1,7 +1,23 @@
-# vim: set ft=apache :
-RewriteEngine on
-RewriteCond %{HTTPS} !on
-RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+{#- vim: set ft=apache.jinja : -#}
+# vim: set sw=4 ts=4 sts=4 et :
+{% macro proxypass() -%}
+ProxyPreserveHost On
+ProxyRequests Off
+ProxyPass / http://localhost:3000/ nocanon
+ProxyPassReverse / http://localhost:3000/
+AllowEncodedSlashes NoDecode
+{%- endmacro -%}
+
+<VirtualHost _default_:80>
+    ServerName {{ gitea_http_domain }}
+
+    RewriteEngine on
+    RewriteCond %{HTTPS} !on
+    RewriteCond %{REQUEST_FILENAME} !\.ks$
+    RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+
+    {{ proxypass() | indent(4) }}
+</VirtualHost>
 
 <VirtualHost _default_:443>
     ServerName {{ gitea_http_domain }}
@@ -10,16 +26,8 @@ RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
     SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
     SSLCertificateChainFile {{ gitea_ssl_certificate }}
 
-    RewriteEngine On
-    RewriteCond %{HTTPS} !on
-    RewriteRule /.* https://%{SERVER_NAME}$0
-
     Header always set \
         Strict-Transport-Security "max-age=63072000; includeSubDomains"
 
-    ProxyPreserveHost On
-    ProxyRequests Off
-    ProxyPass / http://localhost:3000/ nocanon
-    ProxyPassReverse / http://localhost:3000/
-    AllowEncodedSlashes NoDecode
+    {{ proxypass() | indent(4) }}
 </VirtualHost>