The two 00's - is your domain stanmore or stanmoore?
You leave your description open, and then you try and hide it in the domain name? So not sure.
if your server is 192.168.8.36
Then create a host override in pfsense to point whatever.domain.tld to this IP..
Create a CA, then create a cert with this CA. Trust the CA in your browser - and then use that cert on your server. Done.. NO proxy needs to be involved. Makes no sense to use the proxy unless you want outside people to get in, and to be honest you wan to offload the ssl to the proxy and not do it on the server.
I have a few guides around here about doing just that - let me see if can dig one up and link to it.
Here - walk through I did back in 2019
https://forum.netgate.com/post/831783
edit: To finish that off.. Here is CA trusted by my browser.. And here are 2 devices using certs I signed with my trusted CA. Switch and Nas.
installed.jpg
Keep in mind that browsers have backed off on how long a cert could be good for - not that long ago you could make then for like 10 years and be done with it. But now browsers can have issue certs valid longer than say 1 year
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
So for your certs you can only do them for that long - or your browser will complain - some of mine where done before those changes went into effect..
Other advantage of just doing it this way - is you can add in IPs into the certs via SAN, and then either name or IP works and your cert is trusted.
switch via name or ip
switch.jpg
Notice in the cert for my nas above - its lists subject alternative names for nas.local.lan and 192.168.9.10