In Hatchbox, if you set up a load balancer, the initial request will use SSL/TLS and HTTPS and then Caddy strips out the SSL certificate and hands off the request to the appropriate server using HTTP. This is because all of your servers are behind the firewall and there is no need to pass around the SSL certificate.

Caddy forwards the request with X-Forward-Proto and the other X- headers so your Rails app knows it was an SSL request and doesn't need to redirect.

Setting config.force_ssl = true in Rails (/config/environments/production.rb) will make sure all requests are using SSL.

There is nothing else to do and all your web traffic will now be using SSL/TSL.