diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 7b47df9..aeb2f98 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-gitea_version: 1.13.7
+gitea_version: 1.14.0
 # URL to the binary
 gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
 # sha256 of the binary
-gitea_bin_sha256: f1c0d3368d49f544183ec799005e7149fa566e3fd6eca1091d67d75b3f89f716
+gitea_bin_sha256: f3c67ff8644b8ba7947d69a31fbae95f879f181a6038c0737740771075bada24
 # Handle updates. If set to false, ansible will only install
 # Gitea and then won't touch an existing installation
 gitea_manage_upgrade: True
@@ -23,8 +23,7 @@ gitea_web_port: 3280
 # Port for SSH access
 gitea_ssh_port: 22
 # Used to restrict access to the web interface
-gitea_web_src_ip:
-  - 0.0.0.0/0
+gitea_web_src_ip: []
 # If set, will read username from the following HTTP header
 # use when behind a reverse proxy
 # gitea_username_header: Auth-User
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
index b53c002..65c58a1 100644
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@@ -9,6 +9,11 @@ SECRET_KEY     = {{ gitea_tokens.results | selectattr('item','equalto','SECRET_K
 {% if gitea_username_header is defined %}
 REVERSE_PROXY_AUTHENTICATION_USER = {{ gitea_username_header }}
 {% endif %}
+{% if gitea_web_src_ip is defined and gitea_web_src_ip | length > 0 %}
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = {{ gitea_web_src_ip | select('search','\\.\\d+$') | list | join(',') }}
+REVERSE_PROXY_TRUSTED_NETWORKS = {{ gitea_web_src_ip | select('search','/\\d+$') | list | join(',') }}
+{% endif %}
 
 [server]
 LOCAL_ROOT_URL   = http://localhost:{{ gitea_web_port }}/