SSL Renewals for Internal Only Services

[After-Thoughts]

I have been testing Zoraxy and like it as an upgrade from alternatives such as NPM, and I am really liking the GeoIP blocking built-in, however I am running into an issue that I think a new feature would be helpful.

I have a few services that are 'internal' access only, I would like these services to have signed SSL certs. Right now I have an ACME setup on the servers directly that runs a pre-renewal script to port knocks my router. When this occurs my routers open ports for the ACME renewal, the renewal proceeds. After a few minutes the router times out the IP address of the server and the router firewall blocks external access on port 80/443.
In this way I am able to have signed SSL certs for the services while minimizing the external accessibility of the server.

I have been looking for a reverse proxy solution that can function in such a way where I can renew without intervention and maintain minimal external exposure.

Maybe I am missing something but I have not been able to achieve this with Zoraxy.

I wanted to suggest a couple feature options that could possible achieve this goal. I an also open to any suggestions.

Option 1) Have a simple port knock feature that can be turned on within the ACME/SSL renewal on the Zoraxy GUI. When activated you can fill in an IP address, port and a X of requests to send. When this option is active, prior to renewal the Zoraxy server will send X number of requests to the IP address and port (nping?). By the time the process ends, the router would have opened external access allowing the Zoraxy server to proceed renewing normally, a few minutes later the router would close the ports and essentially the Zoraxy would be only accessible internally.

Option 2) An option to force SSL renewal on port 80. In this way, Zoraxy would be able to run a web server used for renewal (temporary?) only on port 80, and port 443 could be closed to the external world. In this case only port 80 would be open to the outside world, and all internal services would be protected from external access and we would still have signed SSL certificates.

I know internal only services may be a niche, and I know there are many security caveats, but I still prefer to prevent access as furthest upstream from the server as I can control and in my case that is is typically as the routers/firewalls under my control.