How to put an app behind a reverse-proxy to terminate the TLS connection with Let's Encrypt certs?

Hello everybody!

I’m currently evaluating use of the Sandbox to host DB visualisation/exploration tools. I want to try Metabase and Apache Superset and I’ve started with Metabase.

As Metabase provides a Docker image, getting an instance up and runnig was surprisingly simple and straightforward: four or five lines of manfest.yml and typing cf push did the trick! :smile: Amazing! :open_mouth:

But without TLS or authentication of any kind, this is obviously totally insecure. I couldn’t even go through the web-based configuration like this, since I’d have to send my DB password over the wire in cleartext… quite unacceptable.

So now the next task is to put a regular old web server like Apache or NGINX in front of the app as reverse proxy to terminate the TLS connection and to configure automatic retrieval of TLS certs from Let’s Encrypt.

I didn’t think it would be a challenge, but it kind of turned into one. At first, I wanted to use an existing Docker image, like the one from, but that one has certbot hardcoded` to listen on ports 80 and 443, while Cloud Foundry expects apps to listen on port 8080.

I found this doc page on configuring custom ports for apps and tried to follow the steps, but got an error, because that only works for ports above 1024. So this particular image has turned out to be a dead end.

I could start “rolling my own”, of course, but it seems like such a standard problem that I expect there to be a solution already…

OK, self answer time: looks like I was overthinking it, or underthinking it… or just thinking about it wrong.
Whatever the case may be, I just realised that the platform already provides a wildcard cert for all its subdomains, so any route I create will be accessible via HTTP and HTTPS, i.e. the app was TLS-terminated the whole time!

I feel like that might warrant some extra mention in the docs somewhere. Although it’s possible that it is in there and I just forgot (I did read the docs, I swear! :wink: ).

Anyway, now I just need to figure out how to redirect all HTTP traffic to HTTPS…

I guess if you hit an endpoint via http you’d be redirected to https server-side?

I wonder if it’d be a good thing to turn off port 80 on the ELB?