TLS Passthrough option for apps requiring end-to-end TLS

marcusquinn

(Opus wrote this for me )

The Problem

Some self-hosted applications need to handle TLS termination themselves rather than having the reverse proxy terminate it. Currently, Cloudron's nginx always terminates TLS before traffic reaches the app container. This makes it impossible to package apps that require TLS passthrough.

Real-World Examples

• NetBird (WireGuard mesh VPN) -- the reverse proxy feature requires Traefik with TLS passthrough so the netbird-proxy container can terminate TLS and issue its own per-service certificates via ACME. I'm currently packaging NetBird for Cloudron (cloudron-netbird-app) and everything works except this one feature.
• Matrix Synapse -- federation requires the server to present its own TLS certificate for server-to-server authentication.
• XMPP servers -- similar federation TLS requirements.
• Any app with built-in ACME -- apps that manage their own Let's Encrypt certificates (e.g., Caddy-based apps, Traefik-based stacks).

What I'm Requesting

A manifest-level option to enable TLS passthrough for a specific app, something like:

{
  "tlsPassthrough": true
}

When enabled, Cloudron's nginx would use ssl_preread and proxy_pass to forward the raw TLS stream to the app container based on SNI, without terminating it. The app would then handle TLS termination itself.
nginx supports this natively via the stream module with ssl_preread:

stream {
    map $ssl_preread_server_name $backend {
        netbird.example.com  netbird-container:443;
        default              normal-https-handling;
    }
    server {
        listen 443;
        ssl_preread on;
        proxy_pass $backend;
    }
}

Considerations

• This would only apply to apps that explicitly opt in via the manifest.
• The tls addon already provides cert/key files to apps -- TLS passthrough is the complementary feature for apps that need full control.
• It could coexist with the current nginx setup: most apps continue with normal TLS termination, only passthrough-enabled apps get the raw stream.
• The tcpPorts manifest option already demonstrates that Cloudron can expose non-HTTP ports per app -- this would be the HTTPS equivalent.

Impact

This would unblock packaging for a meaningful set of applications that currently can't work on Cloudron due to the TLS termination architecture. It would also make Cloudron more competitive with platforms like Coolify and Cosmos that support Traefik-based deployments.
Happy to discuss implementation details or help test if this gets picked up.

jadudm

Consider this an upvote/+1, along with kudos on @marcusquinn 's packaging of NetBird.