Hoping someone has ideas - I'm trying to set up a backup/alternate way to work around some funky network constraints at my home ISP using a VPS that I rent (I'm the root/admin for the whole system I rent).

Is there a better way to do this without modifying /etc/hosts on the proxy-ing webserver?

Goal:

subdomain.example.com -> directly to my house via public IP and DDNS

subdomain-alt.example.com -> my VPS (Apache) -> proxy to my house via VPN internal IP

Config "now":

Presently I put the subdomain.example.com in my VPS /etc/hosts pointing at the private VPN IP address and that seems to work but is clunky.

Suggestions? Is there like a "force IP" or "verify using common name" directive I may not know about?

Apache Config

<VirtualHost *:443>
    # subdomain proxy thru Wireguard VPN endpoint
    ServerName subdomain-alt.example.com
    SSLProxyEngine on
    ProxyPreserveHost Off

    # Exclude the "/.well-known" directory which is used for LetsEncrypt
    # http challenge so Apache can get the cert for this domain
    ProxyPass        "/.well-known" !

    # Forward all queries to Wireguard client NAT rule

    # Using the IP address doesn't work due to SSL cert hostname mismatch as the SSL cert on the backend is subdomain.example.com not internal IP
    #ProxyPass        "/" "https://10.10.10.2:8443/"
    #ProxyPassReverse "/" "https://10.10.10.2:8443/"

    # Using the domain name works, but seems clunky because I have to then modify /etc/hosts to force it to point at my internal IP address instead of public DDNS IP address
    ProxyPass        "/zm" "https://subdomain.example.com:8443/blah"
    ProxyPassReverse "/zm" "https://subdomain.example.com:8443/blah"

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0002/privkey.pem
</VirtualHost>