Local controller on Proxmox - reverse proxy issue

Setup a local controller in Proxmox, version 1.0r.

Everything works fine in my LAN.
Created a DNS entry so I can use https://random.ddns.manage.alta.inc in my internal network (without the local in front).

Now I want to have external access to my controller.
But: I only have one external fixed IP, so I use a reverse proxy (Microsoft IIS with ARR) to get access to several servers.
Created a server farm and rewrite rule for the Alta FQDN https://random.ddns.manage.alta.inc.

Due to the Letsencrypt certificate the Alta controller uses, I got a certificate error from outside my network (since the ARR replaces the Let’s Encrypt certificate with my own wildcard certificate, this is expected behavior). This is no issue for my other internal servers, since they all use my official wildcard certificate, the same one the ARR uses.

So instead of using random.ddns.manage.alta.inc I created a new public DNS record alta.mydomain.com and the ARR does a rewrite from https://alta.mydomain.com to https://random.ddns.manage.alta.inc to go to the internal controller.
When I browse from an external computer to https://alta.mydomain.com, I get the controller login page and no certificate error. The certificate is my official wildcard certificate.
But I can’t login: Incorrect username or password.
I added the FQDN https://alta.mydomain.com to Allowed Origins, but this does not solve the problem.

So I tried it another way. I did a port forward of port 8443 to 443 and added port 8443 to Allowed Ports in the controller.
When I go to https://random.ddns.manage.alta.inc:8443, I get the controller login page and can login without any problem. If I don’t add port 8443 to Allowed Ports, I get the login page but cannot login.

But I would prefer to use my ARR and https://alta.mydomain.com.
What am I missing this is not working?

Do you get a console error when attempting to login?

Does the proxy have network access to the Proxmox system? Thinking about the flow of traffic:

  1. External comes in
  2. Hits the port forward
  3. Goes to the reverse proxy
  4. Proxy talks to controller

The reverse proxy could and arguably should be talking to the local.* domain since the proxy itself is local to the controller.

I’m not saying that would work, but it would be the next thing I’d try. I don’t know much about the Microsoft IIS but I have worked with Nginx and Traefik.