Configure SSL / HTTPS (reverse proxy)

To serve an app over HTTPS, you put a reverse proxy (Nginx or Caddy) in front of it. The proxy terminates TLS and forwards traffic as HTTP to your container or process.

Cause / The problem

Without HTTPS, browsers show “Not secure”, cookies are not protected and some APIs refuse the connection (mixed content). The certificate must be valid and renewed automatically.

Solution

Option A — Caddy (simplest, automatic HTTPS)

Caddy obtains and renews Let’s Encrypt certificates on its own. Caddyfile:

app.example.com {
    reverse_proxy localhost:8080
}

Then:

caddy run    # or via the system package, caddy start

Caddy automatically enforces the HTTP → HTTPS redirect.

Option B — Nginx + certbot

1. Install Nginx and certbot:

   sudo apt install -y nginx certbot python3-certbot-nginx

2. Configure the vhost /etc/nginx/sites-available/app:

   server {
       listen 80;
       server_name app.example.com;
   
       location / {
           proxy_pass http://127.0.0.1:8080;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   }

3. Enable and reload:

   sudo ln -s /etc/nginx/sites-available/app /etc/nginx/sites-enabled/
   sudo nginx -t && sudo systemctl reload nginx

4. Issue the certificate:

   sudo certbot --nginx -d app.example.com

   Certbot adds the HTTPS block (port 443) and the 80 → 443 redirect itself, and installs a renewal timer.

Common errors: “mixed content” (your app generates http:// URLs — trust the X-Forwarded-Proto header), certificate not renewed (check sudo certbot renew --dry-run), and ports 80/443 blocked by a firewall.