This discourse topic below got me thinking of a naive solution for secure origin servers (apps that use ssl transport). I say naive because this does not include managing SSL certificates, that's assumed to be setup correctly out of bounds.

https://discourse.openondemand.org/t/reverse-proxy-rnode-or-node-to-ssl-service/3080

The idea works like this

• when the end user clicks the button to connect to the app from the app's card, we can intercept this and set a header (X-OOD-SSL-ORIGIN just for example)before redirecting to the other URL
• if this header is set in mod_ood_proxy we don't downgrade the connection. At this point, if the header is set, we can keep wss and https.

I think the tricky part is actually intercepting the button/anchor click because that is provided by the application itself, outside of OnDemand (i.e., in a user supplied view.html.erb). So not only would we have to intercept the click - we'd have to actually discover what is clickable as a pre-requisite.