How to put an app behind a reverse-proxy to terminate the TLS connection with Let's Encrypt certs?
As Metabase provides a Docker image, getting an instance up and runnig was surprisingly simple and straightforward: four or five lines of
manfest.yml and typing
cf push did the trick! Amazing!
But without TLS or authentication of any kind, this is obviously totally insecure. I couldn't even go through the web-based configuration like this, since I'd have to send my DB password over the wire in cleartext... quite unacceptable.
So now the next task is to put a regular old web server like Apache or NGINX in front of the app as reverse proxy to terminate the TLS connection and to configure automatic retrieval of TLS certs from Let's Encrypt.
I didn't think it would be a challenge, but it kind of turned into one. At first, I wanted to use an existing Docker image, like the one from linuxserver.io, but that one has
certbot hardcoded` to listen on ports 80 and 443, while Cloud Foundry expects apps to listen on port 8080.
I found this doc page on configuring custom ports for apps and tried to follow the steps, but got an error, because that only works for ports above 1024. So this particular image has turned out to be a dead end.
I could start "rolling my own", of course, but it seems like such a standard problem that I expect there to be a solution already...