Caddy is a reverse proxy that natively integrates with Acme and can use Tailscale certificates.
Docker Hub: https://hub.docker.com/_/caddy/
It is very simple to configure and deploy. It also has a native integration with Docker where it can be configured entirely using Docker labels with no configuration file required and automatically maintains itself with no in-service outage for changes (although the container will need to be reloaded when new app networks are deployed, based on a separate network for each app, and for upgrades). It needs access to /var/run/docker.sock and TrueNAS has made an effort to prevent that (cannot add users to group ‘docker’) so I did not try, but am willing to For Science.
Some apps also don’t work with the ECDSA certs issued by Tailscale, and most won’t support QUIC, which the reverse proxy can do. Jellyfin does not work with Tailscale certs, and has announced plans to remove HTTPS support, so a reverse proxy will be required. It is getting harder to avoid https and harder to avoid certificate automation, with CA/Browser Forum agreeing to reduce max cert lifetime from 1 year now to 47 days in 2029.
There would be an opportunity for a very elegant integration between TrueNAS, the Apps catalogue, Docker, and Tailscale/Acme. For example, TrueNAS App catalogue sets labels on the containers that Caddy uses to publish with the certificate auto-managed from Tailscale, with no config file to manage. TrueNAS could even use it for presenting the Web UI, protected with a real cert.
In the apps catalogue today there is Nginx but it doesn’t have the native integrations with Acme, Tailscale, Docker. Caddy’s features significantly differentiate.