Unifi Controller doesn't work with reverse proxy unless port 8443 is passed through to the host

I have the unifi container working but I noticed an interesting issue. Everything works just fine as long as 8443 is passed through to the host using docker ports, but when I disable that port it fails to load with a Bad Gateway response from traefik. Traefik is looking at the container over a docker network so it shouldn’t need the port to exist on the host at all. I’m thinking that the unifi container is doing something funny here but I’m not sure. Any thoughts or things I could try to make it work without the extra port would be greatly appreciated.

unifi docker-compose.yml this is an ansible template file

---
services:
  unifi-network-application:
    image: lscr.io/linuxserver/unifi-network-application:8.4.62
    container_name: unifi-network-application
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - MONGO_USER={{ unifi_controller.db_username }}
      - MONGO_PASS={{ unifi_controller.db_password }}
      - MONGO_HOST=unifi-db
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi
      - MONGO_AUTHSOURCE=admin
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
      - MONGO_TLS= #optional
    volumes:
      - unifi_data:/config
    ports:
      # - 8443:8443 # WebUI  ##### This works when this is commented but not when it isn't.
      - 3478:3478/udp # STUN
      - 10001:10001/udp # AP Discovery
      - 8080:8080 # Device communication
      - 1900:1900/udp # discoverable on L2 network
      # - 8843:8843 # guest portal HTTPS redirect
      # - 8880:8880 # guest portal HTTP redirect
      # - 6789:6789 # mobile throughput test
      - 5514:5514/udp # syslog port
    restart: unless-stopped
    networks:
      - internal
      - traefik

  unifi-db:
    image: docker.io/mongo:7
    container_name: unifi-db
    environment:
      - MONGO_INITDB_ROOT_USERNAME={{ unifi_controller.db_username }}
      - MONGO_INITDB_ROOT_PASSWORD={{ unifi_controller.db_password }}
      - MONGO_USER={{ unifi_controller.db_username }}
      - MONGO_PASS={{ unifi_controller.db_password }}
      - MONGO_DBNAME=unifi
      - MONGO_AUTHSOURCE=admin
    volumes:
      - db_data:/data/db
      - ./init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
    restart: unless-stopped
    networks:
      - internal

networks:
  internal:
  traefik:
    external: true

volumes:
  unifi_data:
    driver_opts:
      type: "nfs"
      o: "addr={{ nfs_server_address }},nolock,soft,rw"
      device: ":{{ unifi_controller.nfs_mount_path }}"
  db_data:
    driver_opts:
      type: "nfs"
      o: "addr={{ nfs_server_address }},nolock,soft,rw"
      device: ":{{ unifi_controller.nfs_db_path }}"

Traefik docker-compose.yml the api key is redacted.

---

services:
  traefik:
    image: docker.io/traefik:v3.1
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      CLOUDFLARE_DNS_API_TOKEN: ''
    volumes:
      - type: bind
        source: /etc/localtime
        target: /etc/localtime
        read_only: true
      - type: bind
        source: ./traefik.yml
        target: /etc/traefik/traefik.yml
      - type: bind
        source: ./configs
        target: /etc/traefik/configs
      - type: bind
        source: ./acme.json
        target: /etc/traefik/acme.json
    networks:
      - traefik

networks:
  traefik:
    external: true

The traefik dynamic config file for the unifi container service.

---
http:
  serversTransports:
    ignorecert:
      insecureSkipVerify: true
  routers:
    unifi_controller:
      rule: Host(`{{ unifi_controller.url }}`)
      tls:
        certResolver: letsEncrypt
      service: unifi_controller
      entryPoints:
        - websecure
  services:
    unifi_controller:
      loadBalancer:
        serverstransport: ignorecert
        servers:
          - url: https://unifi-controller:8443