VirtualHost on proxy server:

<VirtualHost *:80>
        ServerName demo.bethicoleague.org
        Redirect 301 / https://demo.bethicoleague.org/
        ErrorLog ${APACHE_LOG_DIR}/http-error.log
        CustomLog ${APACHE_LOG_DIR}/http-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =demo.bethicoleague.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
        ServerName demo.bethicoleague.org
        ServerAdmin bernard@condrau.com
        php_value date.timezone "Asia/Bangkok"

        ErrorLog ${APACHE_LOG_DIR}/bco/joomla5-error.log
        CustomLog ${APACHE_LOG_DIR}/bco/joomla5-access.log combined

        SSLEngine on
        RequestHeader set X-Forwarded-Proto "https"
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass "/" "http://serenity.condrau.com:8080/"
        ProxyPassReverse "/" "http://serenity.condrau.com:8080/"

        <Proxy *>
                Require all granted
        </Proxy>
        <Location "/">

                # Block aggressive spiders by giving 429, too many requests
                Include conf-available/bco-spiders.conf
        </Location>

        <Location "/html/">

                # Allow access for Bernard's locations only
                Include conf-available/bco-remote-addr.conf
        </Location>

        ## make sure nobody gets the htaccess, README, COPYING or VERSION files
        <Files ~ "^([\._]ht|README$|VERSION$|COPYING$)">
                Require all denied
        </Files>

        ## Don't allow access to git directories
        <IfModule alias_module>
                RedirectMatch 404 /\.git
        </IfModule>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bethicoleague.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bethicoleague.com/privkey.pem
</VirtualHost>

Set Joomla Live URL in /configuration.php