The suggestion is to use HAProxy instead of Nginx as the reverse proxy for publicly facing domains.

Rationale

As I understand it, Dokku's plugin nginx-vhost uses Nginx to handle two things:

1. Mapping (sub)domain names to docker container ports
2. Configuration of SSL Termination

Some buildpacks build containers that include their own Nginx (for instance 1, 2, 3, 4), and having two Nginx proxies like this causes confusion, difficulties in troubleshooting and the necessity to duplicate some nginx configuration directives on the dokku host (for instance via https://github.com/neam/dokku-nginx-vhosts-custom-configuration#background)

This is not an issue with Heroku since it already performs this reverse proxying at the network layer (possibly already using HAProxy).

Example HAProxy configuration

1. Mapping (sub)domain names to docker container ports example configuration: http://serverfault.com/questions/105824/how-to-divert-traffic-based-on-hostname-using-haproxy/126799#126799
2. Configuration of SSL Termination: https://serversforhackers.com/haproxy-ssl-termation-pass-through/ (Personally, I prefer to configure SSL at the network layer via Cloudflare DNS)