That is such a clear explanation and makes a lot of sense, thank you again.
Since the services I’m interested in serving are authenticated then it sounds like HTTPS is what I need (which is what originally made the most sense to me). That’s a relief. I just need to figure out how to have separate HTTP and HTTPS services hosted from the one ARM service.
Thank you again for the response. The summary is very helpful too.
It looks like I don’t need the reverse proxy, since the sensitive services* support authentication and HTTPS.
I would need the lighttpd service to be available over unsecured HTTP too, but if that’s not possible I could always use a different subdomain.