don’t create a publicly available webpage showing bandwidth history or any statistics about the machine (e.g. CPU/RAM usage) as these can be used in surprising ways to attack users.
Yes, but not because you run a Tor relay. Rather because that is common sense nowadays.
FWIW I do use NGinx, a self-signed CA and iptables for that [1]
Why is this stated as an expectation then, if I do not have to do it because of running a relay?
What information is there I have to hide? It is a static website, which is compiled locally, not an API… What are the surprising ways to attack users with the combined traffic summary of usually 4 relays and a load average updated every 5 minutes?