TLS Passthrough option for apps requiring end-to-end TLS
-
(Opus wrote this for me
)The Problem
Some self-hosted applications need to handle TLS termination themselves rather than having the reverse proxy terminate it. Currently, Cloudron's nginx always terminates TLS before traffic reaches the app container. This makes it impossible to package apps that require TLS passthrough.
Real-World Examples
- NetBird (WireGuard mesh VPN) -- the reverse proxy feature requires Traefik with TLS passthrough so the
netbird-proxycontainer can terminate TLS and issue its own per-service certificates via ACME. I'm currently packaging NetBird for Cloudron (cloudron-netbird-app) and everything works except this one feature. - Matrix Synapse -- federation requires the server to present its own TLS certificate for server-to-server authentication.
- XMPP servers -- similar federation TLS requirements.
- Any app with built-in ACME -- apps that manage their own Let's Encrypt certificates (e.g., Caddy-based apps, Traefik-based stacks).
What I'm Requesting
A manifest-level option to enable TLS passthrough for a specific app, something like:
{ "tlsPassthrough": true }When enabled, Cloudron's nginx would use
ssl_prereadandproxy_passto forward the raw TLS stream to the app container based on SNI, without terminating it. The app would then handle TLS termination itself.
nginx supports this natively via thestreammodule withssl_preread:stream { map $ssl_preread_server_name $backend { netbird.example.com netbird-container:443; default normal-https-handling; } server { listen 443; ssl_preread on; proxy_pass $backend; } }Considerations
- This would only apply to apps that explicitly opt in via the manifest.
- The
tlsaddon already provides cert/key files to apps -- TLS passthrough is the complementary feature for apps that need full control. - It could coexist with the current nginx setup: most apps continue with normal TLS termination, only passthrough-enabled apps get the raw stream.
- The
tcpPortsmanifest option already demonstrates that Cloudron can expose non-HTTP ports per app -- this would be the HTTPS equivalent.
Impact
This would unblock packaging for a meaningful set of applications that currently can't work on Cloudron due to the TLS termination architecture. It would also make Cloudron more competitive with platforms like Coolify and Cosmos that support Traefik-based deployments.
Happy to discuss implementation details or help test if this gets picked up. - NetBird (WireGuard mesh VPN) -- the reverse proxy feature requires Traefik with TLS passthrough so the
-
Consider this an upvote/+1, along with kudos on @marcusquinn 's packaging of NetBird.
-
(Opus wrote this for me
)The Problem
Some self-hosted applications need to handle TLS termination themselves rather than having the reverse proxy terminate it. Currently, Cloudron's nginx always terminates TLS before traffic reaches the app container. This makes it impossible to package apps that require TLS passthrough.
Real-World Examples
- NetBird (WireGuard mesh VPN) -- the reverse proxy feature requires Traefik with TLS passthrough so the
netbird-proxycontainer can terminate TLS and issue its own per-service certificates via ACME. I'm currently packaging NetBird for Cloudron (cloudron-netbird-app) and everything works except this one feature. - Matrix Synapse -- federation requires the server to present its own TLS certificate for server-to-server authentication.
- XMPP servers -- similar federation TLS requirements.
- Any app with built-in ACME -- apps that manage their own Let's Encrypt certificates (e.g., Caddy-based apps, Traefik-based stacks).
What I'm Requesting
A manifest-level option to enable TLS passthrough for a specific app, something like:
{ "tlsPassthrough": true }When enabled, Cloudron's nginx would use
ssl_prereadandproxy_passto forward the raw TLS stream to the app container based on SNI, without terminating it. The app would then handle TLS termination itself.
nginx supports this natively via thestreammodule withssl_preread:stream { map $ssl_preread_server_name $backend { netbird.example.com netbird-container:443; default normal-https-handling; } server { listen 443; ssl_preread on; proxy_pass $backend; } }Considerations
- This would only apply to apps that explicitly opt in via the manifest.
- The
tlsaddon already provides cert/key files to apps -- TLS passthrough is the complementary feature for apps that need full control. - It could coexist with the current nginx setup: most apps continue with normal TLS termination, only passthrough-enabled apps get the raw stream.
- The
tcpPortsmanifest option already demonstrates that Cloudron can expose non-HTTP ports per app -- this would be the HTTPS equivalent.
Impact
This would unblock packaging for a meaningful set of applications that currently can't work on Cloudron due to the TLS termination architecture. It would also make Cloudron more competitive with platforms like Coolify and Cosmos that support Traefik-based deployments.
Happy to discuss implementation details or help test if this gets picked up.@marcusquinn said in TLS Passthrough option for apps requiring end-to-end TLS:
Matrix Synapse -- federation requires the server to present its own TLS certificate for server-to-server authentication.
I think we can already do matrix federation, no?
- NetBird (WireGuard mesh VPN) -- the reverse proxy feature requires Traefik with TLS passthrough so the
