A calmer TLS setup behind a single reverse proxy

2026-05-31

For a long time I had three services each terminating their own TLS. Three certs, three renewal cron jobs, three chances to forget. Consolidating everything behind one nginx instance made the whole thing boring, which is exactly what I want from infrastructure.

The shape

One front door listens on 443. Everything behind it speaks plain HTTP on localhost. The front door owns the certificate and nothing else has to think about it.

server {
    listen 443 ssl;
    http2 on;
    server_name example.internal;
    location / { proxy_pass http://127.0.0.1:8080; }
}

Renewals

The renewal hook reloads nginx and that's the entire story now. I run a dry run once a quarter just to keep myself honest.

The best part of this change wasn't performance. It was deleting two cron jobs and never thinking about them again.