Hi,
I am no expert here but here are the basics one needs to know,
DNS (whether its for DDNS or TLD) → is to simply tell the browser (Client) which Public IP address to go to.
Reverse Proxy → Once that request arrives at that Public Host, port forwarding will take it to the Reverse proxy, it will check the requesting domain name and forward that request to respective port or (internal) IP address.
At first glance, I am unable to find any fault in theoretical setup of yours. It looks to be ok but I dont know your internal networking (LAN) or how your Pi OS network stack looks like.
Theoretically yes, NPM itself is suppose to terminate SSL but if needed it can further do SSL between itself and your Pi
Here is the configuration I use for deployments that I manage,
Here, NPM is accepting and terminating a SSL connection and then connecting to the Nextcloud (Internal LAN) which itself is also running a SSL
Technically speaking, you need the DDNS client at only a single place within your entire LAN. Best practice is to run it at your router itself. If possible, disable it here and run it at router.
As I said before, I dont have access to your network layout, so not sure if this particular thing is actually causing the entire issue.
This is a wrong config since your nextcloud itself is running a SSL. Unless your nextcloud Pi is running that SSL on Port 80. Your Reverse proxy should be pointing to https with it’s respective port for that Nextcloud Pi.
Refer to my example for hands on…
Check if this solves your issue.
Thanks.