I would certainly recommend running candid over https. You have a couple of options for how to do this.
You can configure candid with a certificate a private key to use in the configuration file. The default configuration file for the snap is found at
/var/snap/candid/current/config.yaml. As you have configured LDAP already, you shouldn’t have any problems finding it.
There are two options
tls-key. If these are configured then candid will serve it’s endpoints over https using the provided certificates. The
tls-cert parameter is a string that holds a PEM encoded certificate that is used in the TLS handshake. The
tls-key parameter is a string that holds the PEM encoded private key that goes along with the certificate. The private key should not be encrypted as there is no mechanism for candid to prompt for the password. If necessary
tls-cert may hold a certificate chain so long as the first certificate is the one that matches
When setting up certificates you will have to update the
location parameter to tell candid to generate URLs using https rather than http.
Alternatively if you wish to deploy candid behind a reverse proxy then you should either give candid it’s own subdomain, or it’s own sub-tree on the server. Either
https://example.com/candid. The reverse proxy can terminate the TLS connection and proxy to the candid server. In either case you will need to update
location parameter in the configuration file (see above) to tell candid where it is being served.
If you chose to use a sub-tree for candid you will have to also manipulate paths in the request and response. The request will have to be modified such that the sub-tree is removed from the request path, e.g.
/candid/discharge should be mapped to
/discharge before forwarding. Also in the reverse direction any
Set-Cookie headers need to update to re-add the sub-tree path, e.g.
/candid/login. When using apache these functions are provided by the ProxyPass, ProxyPassReverse & ProxyPassReverseCookiePath directives.