If you’re sharing a single IP with multiple SSL connections you need a SAN cert on the front end of your proxy. If the network is secure then everything else behind it can be unencrypted.
Discourse needs force_https if the user connects via SSL, and you need to ensure the header flagged above is preserved and forwarded.