Reverse Proxy and HTTPS Hell, how to get this all working properly?

So im not the average use case. i followed multiple guides online and they all don’t work for my use case.

What i need:
What i need is for security to have my HAOS minipc only accessable through tailscale. i can do that through the let’s encrypt add-on and through the tailscale https functionality. But every setup comes with its own downsides. I also need https access to the go2rtc dashboard thats accessable at local_ip:1984, which opens a seperate page not in the home assistant GUI.
Why? Because the go2rtc dashboard can load camera streams with the microphone open. This does not work when https is disabled. So i cannot talk to the cameras.

What I tried:

Let’s encrypt add-on:
With lets encrypt, you need to change configuration.yaml to include the generated certification files. when you then restart, the local IP stops functioning. so if ever the domain goes down, i will have no access anymore to home assistant, AND the HAOS telegram-bot core integration also does not play well together with forced https. I use this integration a LOT, so i need it to keep functioning under the local IP that my router assigned to the minipc because under https it doesnt work well.

Tailscale https:
Using this option, you only need to add reverse proxy to the configuration.yaml file. This worked, but for some reason im getting EXTREMELY slow speeds when accessing home assistant through the domain it generated for me. I’m talking to slow that for example when i go to the add-on screen, all little add-on images load like one per 0.3 seconds or so. We’re talking few kilobytes per second connection here.
When accessing directly through the tailscale IP, everything works without problems, as fast as i would access it through the local IP.

NGINX proxy manager:
For some reason when trying to generate certificates through this add-on, it gives a “internal error” and i couldn’t find online how to solve this.

Cloudflared:
I tried to use this and it worked to access my minipc running HAOS over https, but only when available to the whole wide web. I tried to include the tailscale IP of the HAOS machine and my other tailnet machines to only get access, but as soon as i implemented those rules under zero-trust user groups, it just fails to load, with, if i remember correctly, a error message that it’s not a correct app-link.

Further Notes:
I have a own domain i can use and use cloudflare to manage the DNS records.
I also cannot use duck dns (i think?) because my router does not support port forwarding.

Solved!

so, if anyone else goes through the trouble…i dont know which of these things did it in the end, it might be all of them… But i deleted the hue integration from configuration.yaml, it was using port 80. then i could use port 80 in nginx proxy manager-addon configuration. Then in the web UI of NPM, i was entering my tailscale IP at IP, while i should have simply put “homeassistant” there. the tailscale IP only needs to be entered at the dns dashboard of cloudflare. not anywhere else. Then, i always tried to use the port that was specified in the settings of the webUI. for example i tried entering a random port 555 in the webUI of nginx, and thought that would be the gateway port towards home assistant. but it doesn’t work like that, it routes a port that is listening, towards the 443 port you have set in the add-on confirguration page.

I made a secondary proxy in nginx that points to port 1984 with another A record dns subdomain in cloudflare, and this allowed me to access go2rtc dashboard in https!