Wrapping my head around SSL when using Apache Proxy

So, my Ubuntu server is a public name server with a fixed IP. On my connection, I forward all traffic from 53, 80, and 443 to the internal IP of the server.

Hass.io is running in Docker.

I’m trying to understand how SSL settings need to be configured in order for Hass.io to work properly.

When I create a virtual server on my system (using Virtualmin), the cert files are placed in the virtual server folder, which ends up being /home/<username>/domains/subdomain.domain.com.

There’s ssl.ca, ssl.cert, ssl.key, ssl.combined, and ssl.everything.

Assuming there’s content in /home/<username>/domains/subdomain.domain.com/public_html, when served, the result is a secure site.

So, one could understand the confusion when we introduce Hass.io, which is listening on port 8123 and also has its own SSL folder which requires fullchain.pem and privkey.pem.

In this case I would presume that I would want to configure Apache as a reverse proxy as prescribed by this article in the docs.

However, I’m not clued in to the SSL settings required. Since the end goal is to be able to access Hassio via https://hassio.domain.com, and Apache is already handling SSL, what implications does this have for a) the SSL folder in Hass.io (/usr/share/hassio/ssl) and b) the SSL configuration settings throughout Hass.io (i.e. add-ons.)

Do the SSL certificates stored in the Apache directory need to be copied to the Hass.io directory, or in this type of setup, are we supposed to disable SSL for everything in Hass.io and just let Apache handle the SSL part?

I hope that was clear…