[dvno42]

If I'm understanding you correctly, you are saying that the origin servers only listen on HTTP and that is where the ISP intercepts. Is it not common practice for the origin servers to also being using HTTPS? Afaik there's no simple way for the end user to know this though.

[NavinF]

People who run the origin servers often use a CDN to do TLS termination because they are too incompetent to do it themselves. Not having to enable TLS is a major value-add for certain types and you'll see this advertised prominently by every CDN

[roncesvalles]

There is another value add - being able to use self-signed certs and therefore not have to worry about renewals. Last I checked (~12 months ago), there still isn't a good story for doing automated SSL renewals if your application is completely containerized.

[NavinF]

Terminating TLS for an HTTP app running on localhost is trivial. Something like this:

echo "example.com \n reverse_proxy localhost:8000" > Caddyfile; docker run caddy --net host -v $PWD:/config caddy run

It's slightly more complicated if you need redundancy, but not by much.