TLS termination is the practice of decrypting an incoming HTTPS (TLS) connection at the network edge — usually a reverse proxy or a load balancer — so that backend application servers behind it can speak plain HTTP over a trusted internal network. This concentrates certificate management in one place, lets the edge layer cache TLS session state, and offloads the CPU cost of asymmetric crypto from every backend. Modern edges almost always pair TLS termination with auto-renewing certificates from Let's Encrypt or ZeroSSL via the ACME protocol.

In a self-hosting context

For a single-VPS self-host deployment of Mattermost, Nextcloud, or any other OSS in this directory, TLS termination happens in the reverse proxy — Caddy and Traefik both do it automatically, nginx needs an explicit config block plus certbot. PaaS-style wrappers like CapRover and Coolify bundle the whole flow: drop in a hostname, get a valid certificate within seconds. See Reverse proxy for the broader pattern.