Hey there,
I have somewhat of a similar setup. I use Nginx Proxy Manager and AdGuard Homes rewrites to do the same thing as you.
As for Question 1: Creating self-signed certs is pretty straightforward. I followed this tutorial by Christian Lempa: https://youtu.be/VH4gXcvkmOY He also has a good writeup on his GitHub: https://github.com/ChristianLempa/cheat-sheets/blob/main/misc/ssl-certs.md How to import the certs into Nginx, I don’t know, but I think that’s easy to lookup online.
Regarding Question 2: My understanding is that all traffic goes through the Reverse Proxy.
I hope I could help, let me know if you have any more questions.
I’m currently hosting Vaultwarden, an implementation of Bitwarden. It’s working perfectly so far.