Port Forwarding with VirtualHost to HA from another Raspberry Pi

tl;dr: How can I configure Apache VirtualHosts to only forward myhomeassistant.duckdns.org:443 to https://myhomeassistant.duckdns.org:8123 while Apache is running on another Raspberry Pi than Home Assistant?

Hey all,

I’m struggling for days now and not finding a way to make it work, so I’m asking you for help. I read and tried so many things that I can’t even recall, what I already tried.

I am running Apache on a Raspberry Pi for nextcloud, pihole and other services and have ports 80 and 443 opened in my router. All this is accessible via https://www.mydomain.com/*.
On another Raspberry Pi, I am running Home Assistant (Home Assistant Core 2022.5.0, Home Assistant, Supervisor 2022.05.0, Home Assistant OS 7.6) with opened port 8123 and a duckdns domain, let’s say https://myhomeassistant.duckdns.org.

In order to make Alexa work, I need port 443 to be forwarded to my HA Pi port 8123 as shown in this video: Alexa with Home Assistant Local for FREE Without Subscription - YouTube. Of course, I cannot just configure 443 → HA Pi 443 in my router since I need port 443 to be used with mydomain.com and thus 443 is already forwarded to my other Pi. Thus, I want to use VirtualHosts and forward everything that comes in at https://myhomeassistant.duckdns.org(:443) to https://myhomeassistant.duckdns.org:8123.
Everything else, especially https://www.mydomain.com/* and https://myhomeassistant.duckdns.org:8123 should be treated as it is now.

I tried for example (the whole list would be quite long):

<VirtualHost myhomeassistant.duckdns.org:443>
  ServerName myhomeassistant.duckdns.org
  ProxyPass / https://myhomeassistant.duckdns.org:8123/
</VirtualHost>

with and without Listen 443 in the first line and also with <VirtualHost *:443>.
I also tried using my local IP:

<VirtualHost *:443>
        ServerName myhomeassistant.duckdns.org
        ProxyPass / 192.168.178.112:8123
        ProxyPassReverse / 192.168.178.112:8123
</VirtualHost>

And as described in Reverse Proxy with Apache, I tried

<VirtualHost *:443>
  ServerName myhomeassistant.duckdns.org
  ProxyPreserveHost On
  ProxyRequests off
  ProxyPass /api/websocket ws://192.168.178.112:8123/api/websocket
  ProxyPassReverse /api/websocket ws://192.168.178.112:8123/api/websocket
  ProxyPass / https://192.168.178.112:8123/
  ProxyPassReverse / https://192.168.178.112:8123/
</VirtualHost>

with and without RewriteEngine:

  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)  ws://192.168.178.112:8123/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)  https://192.168.178.112:8123/$1 [P,L]

to both the duckdns and my local IP.

How I tried: create new file hassio.conf in /etc/apache2/sites-available and write the above into it. Run sudo a2ensite hassio.conf and sudo service apache2 restart.

The result is either 400 Bad Request, 404 Not Found or https://myhomeassistant.duckdns.org is forwarded to the landing page of my Apache Pi at https://www.mydomain.com (which is obvious since duckdns points to the IP of my router).
And sometimes, it leads to a certificate warning when accessing HA via https://myhomeassistant.duckdns.org:8123.

Since I don’t know, if it makes a difference, here’s how my 000-default-le-ssl.conf looks like. I of course tried to write everything of the above directly in 000-default-le-ssl.conf as well.

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin [email protected]
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ServerName www.mydomain.de
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/www.mydomain.de/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.de/privkey.pem
</VirtualHost>

Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav
Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger
Redirect 301 /.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo

</IfModule>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

I tried so many different versions of the same and so many different things, but nothing worked at all.
Could someone please point me in the right direction?