mattermost integration behind a reverse proxy

gitlab-ce 12.2.3 (13598699) in a VM, behind a pfsense with HAproxy reverse proxy.

HAproxy does the TLS-stuff via ACME-Certs, for the 2 URLs:

https://gitlab.example.com https://mattermost.example.com

The services in the gitlab VM are running http-only and should so.

gitlab itself works fine, now I try to enable mattermost as documented:

mattermost_external_url 'https://mattermost.example.com'
mattermost['enable'] = true
mattermost['service_use_ssl'] = false
mattermost['service_address'] = "192.168.97.128"
mattermost['service_port'] = "8065"

When I do this and run reconfigure and restart, I see nginx hanging, it searches for a cert for the mattermost-URL in /etc/gitlab/ssl ... while it shouldn't use or search for certs anyway. This obviously crashes gitlab itself as well.

If I check the generated vhost nginx.conf it listens on https/443 which is wrong/not wanted here.

I wonder if need more parameters like:

mattermost['gitlab_enable'] = true
mattermost['gitlab_id'] = "fb5685..."
mattermost['gitlab_secret'] = "be249..."
mattermost['gitlab_scope'] = ""
mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user"

but at first the above faulty generation of the vhost seems my problem.

pls advise.