SecureProxy (SSL Termination)

Overview

SecureProxy provides automatic SSL/TLS termination as a separate ECS service using Traefik. Unlike CertWrapper which runs as a sidecar container, SecureProxy runs independently with its own dedicated Fargate resources, enabling zero-downtime deployments since application deployments don’t restart or redeploy the proxy service.

Purpose and Benefits

• Zero-Downtime Deployments: Application deployments don’t affect SSL termination & proxying
• Dedicated Resources: Runs on separate ECS Fargate service with its own CPU/memory
• Automatic HTTPS: Secure your application with automatically provisioned SSL certificates
• Let’s Encrypt Integration: Free SSL certificates with automatic renewal using Traefik
• Independent Scaling: Proxy service scales independently of application

vs. CertWrapper Comparison

CLI Usage

Create SecureProxy

tapit  create secureproxy acme_email=my@email.com

Required Parameters

• acme_email: Email address for Let’s Encrypt certificate registration and notifications

List and Show SecureProxy

# List all addons (including SecureProxy)
tapit list addons

# Show specific SecureProxy details
tapit show addon name=secureproxy

Delete SecureProxy

tapit delete addon name=secureproxy

Traffic Flow

Internet → SecureProxy (HTTPS:443) → Your Application (HTTP:8080)

1. Client Request: Browser makes HTTPS request to your domain
2. SSL Termination: SecureProxy decrypts the request
3. Forwarding: Request is forwarded to your application over internal network
4. Response: Application response is encrypted and sent back to client

Domain Configuration

DNS Setup

Point your domain’s CNAME record to the app’s Tapitalee hostname (*.dns.tapitalee.net)

Multiple Domains

SecureProxy supports multiple domains and subdomains. Certificates are automatically requested for all domains pointing to the proxy.