I use Caddy the same way. My web apps aren't allowed to think about TLS, they sit behind Caddy and I'm secure as long as I keep it updated