Actually I've done it with help of Caddy in a few minutes, really kudos for this tip to the @mcpherrinm, it really can't be easier than this!
It wasn't clear if the "tenant" VMs are operated by others - if so, they might not like that MiTM.
The reverse proxy, in that case, was only for HTTP [which is already visible to anyone in line].
Would you be a tenant where your HTTPS site would only be accessible through a non-standard port?
It would really depend on the service being provided.
And the available alternatives to that single IP service.
I, personally, would do it all myself - so I would never have to make such a choice - LOL