pfsense: SNI-routed internal 443 — mail.viktorbarzin.me serves webmail everywhere

Completes the internal port table of the mail front door (10.0.20.1):
443 was squatted by the pfSense webGUI (self-signed cert expired 2022),
so internal webmail and the kuma [External] mail probe hit the firewall
login instead of Roundcube — the last leg of the mail split-brain name.

Design (Viktor): route by what the client asked for. New HAProxy
frontend internal_https_443 (binds 10.0.20.1+10.0.10.1 :443, mode tcp):
SNI present -> Traefik .203 with send-proxy-v2 (trusted, IPv6-bridge
pattern, no health check per the PROXY-probe gotcha); SNI of
pfsense.viktorbarzin.{lan,me} or NO SNI (bare-IP admin access) -> webGUI,
which moved to :8443 (invisible to habits — https://10.0.20.1 still
lands on the login page; :8443 doubles as direct fallback). The
reverse-proxy pfsense ingress now targets :8443 directly.

Declared idempotently in pfsense-haproxy-bootstrap.php; config.xml
backed up on-box (config.xml.bak-2026-06-10-pre-sni443). Verified:
bare IP -> GUI login; pfsense.viktorbarzin.lan -> GUI;
pfsense.viktorbarzin.me -> 302 via ingress; mail.viktorbarzin.me ->
Roundcube with STRICT cert validation; :993 IMAPS untouched.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

stacks/reverse-proxy/modules/reverse_proxy/main.tf

@@ -36,7 +36,10 @@ module "pfsense" {
   name             = "pfsense"
   external_name    = "pfsense.viktorbarzin.lan"
   tls_secret_name  = var.tls_secret_name
-  port             = 443
+  # webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
+  # SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
+  # backend port avoids a Traefik->HAProxy->GUI double hop.
+  port             = 8443
   backend_protocol = "HTTPS"
 
   extra_annotations = {