ssl termination proxy #6

Supports: xenial

Add to new model


You put this Charm in front of an http webservice to add https security. It deploys a TLS/SSL/HTTPS termination proxy. All https traffic going to this server will be sent to the webserver as http traffic.

Software & terms:

SSL Termination Proxy

This charm installs an HTTPS reverse proxy. The proxy secures traffic to a webservice in the private network using a Let's Encrypt HTTPS certificate. The proxy can also add basic username/password authentication if the credentials config option is set.

This proxy receives an A+ rating on the Qualis SSL Server Test.

How to use

HTTPS proxy


Deploy your http webservice.

juju deploy jenkins

Deploy the Proxy.

juju deploy cs:~tengu-team/ssl-termination-proxy

Expose the proxy.

juju expose ssl-termination-proxy

Configure your DNS server to point to the ssl-termination-proxy's public ip.

Let the proxy know what its DNS name is.

(See for free DNS names)

juju config ssl-termination-proxy

The proxy will now request a certificate from lets encrypt.

Connect the webservice with the proxy.

juju add-relation jenkins ssl-termination-proxy

Now you can surf to https:// and you wil reach the webservice.


[Optional] Configure basic auth

bash juju config ssl-termination-proxy credentials="<username> <password>"

Multiple accounts aren't supported for the moment.


This software was created in the IBCN research group of Ghent University in Belgium. This software is used in Tengu, a project that aims to make experimenting with data frameworks and tools as easy as possible.


(string) Contact email for Let's Encrypt
(string) Space-separated username and password for basic authentication.
(string) Space separated list of extra deb packages to install.
(string) Fully-Qualified Domain Name of server to register
(string) listen address
(string) List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.
(string) List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.
(string) The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".
(int) NGINX listen port