Infrastructure
Reverse Proxy & TLS
Every public request hits a single entry point that terminates TLS and decides where to send traffic — none of the application services are directly reachable from the internet.
What it does
A reverse proxy sits in front of every service on the VPS. It receives all inbound connections on ports 80 and 443, handles TLS certificate issuance and renewal automatically, and forwards requests to the correct internal application based on the subdomain.
This means none of the backend services need to manage their own TLS certificates, and none of them are exposed to the public internet directly. They all listen only on the loopback interface.
Why this matters
Centralising TLS at the edge makes it trivial to add or remove services without touching firewall rules or certificate management. It also means every site served from this VPS gets HTTPS automatically, including HTTP → HTTPS redirects.
- Single point of certificate management — auto-renewed, zero manual steps.
- Application services never handle raw TLS; they receive plain HTTP from localhost.
- Clean separation between public entrypoint and internal application logic.
- Adding a new service is a one-line change in the proxy config.
Technology choice
The proxy of choice here is Caddy — a modern, Go-based web server with automatic HTTPS built in. It provisions and renews Let's Encrypt certificates without any manual intervention, and its configuration language is concise and easy to audit.