With ‘overwriteprotocol’ not set to ‘https’ don’t you then suffer from a problem whereby users cannot change their passwords?
I’m working with a setup where the public address is through a tunnel that takes care of the https security certs etc and initially I could also access over the local LAN with http. But, in order to solve the password issue when users connect over the public tunnel, I enabled the overwriteprotocol => https which disables access over the local lan.
Seems like a catch 22.