Haproxy/letsencrypt/nextcloud port 80 question

Anything I say, please correct me if an assumption is wrong.

linuxserver.io/nextcloud only has an option in docker for port 443 backend access
ie. self-signed cert (or from what I’ve read) signing via the letsencrypt docker app placing certificate keys in the appropriate place - /config/keys/ - you define in your docker/docker-compose runtime syntax. I don’t want to run another letsencrypt instance since the one on my router is already working just fine.

Now, on my homelab network setup, I use HAProxy/letsencrypt (ACME) on my pfsense box to intercept and sign all my incoming web traffic. I’ve done this for things that only reside internally on my network with no external access (as a thought/learning exercise) and also signing my externally accessible bitwarden and plex access to internal docker instances living on my network.

all external traffic comes in as a FQDN, eg:

my pfsense box assigns these all via DNS resolver override to resolve to (my routers IP) then since its WAN traffic, I have HAProxy intercepts it and do SSL offloading to sign the data for the web client against my certs I set up using ACME, and does a host lookup on the FQDN, and uses rules to pass off the packets appropriately to the correct internal network resource on the correct port. All the certificate signing of the request remains at the router, so the data is still technically unsigned when passed on my local network.

Is there a way to only have unsigned http access to nextcloud so I can have all the cert signing done at my network head-end?

Replying to myself so anyone in the future with similar issues/questions and lack of knowledge I had can hopefully learn something like I did by this post/reply chain on r/haproxy on reddit: