[NavinF]

People who run the origin servers often use a CDN to do TLS termination because they are too incompetent to do it themselves. Not having to enable TLS is a major value-add for certain types and you'll see this advertised prominently by every CDN

[roncesvalles]

There is another value add - being able to use self-signed certs and therefore not have to worry about renewals. Last I checked (~12 months ago), there still isn't a good story for doing automated SSL renewals if your application is completely containerized.

[NavinF]

Terminating TLS for an HTTP app running on localhost is trivial. Something like this:

echo "example.com \n reverse_proxy localhost:8000" > Caddyfile; docker run caddy --net host -v $PWD:/config caddy run

It's slightly more complicated if you need redundancy, but not by much.