My ISP is pretty unstable lately, so I've decided to establish kind of reserve entry point at my friend's server - during outages I redirect domains to it and then requests will be routed by its NGINX through wireguard/yggdrasil tunnel to my server (it has LTE modem for such cases, but without public IP).
Main concern for me are SSL certificates. DNS-1 challenging is tricky on my DNS provider and with HTTP-1 it's impossible to update certs on fallback machine when domain points my main server (most of the time). Also I think that keeping certs on someone else's server is not good in terms of security. I know there's `stream` module in NGINX that just redirects encrypted traffic to 443 port of my server through tunnel instead of decrypting it on friend's server and sending in plain HTTP to services itselves. Could you please share some guides about how to properly set this up? Also other tips on the topic are welcome (but not like "change your ISP" or "get VPS").