Port Assignment for basic ProxyProtocol + HTTP(S) Proxy

I currently want to build a basic DMZ reverse proxy with SSL termination with traefik v3. The proxy should be used for local services on HTTP(S) but should also deal with requests from outside which are coming from another reverse proxy (NGINX). For the second part I would like to utilize the Proxy Protocol.
I cannot seem to find good documentation on implementing such a system securely. I am aware of the entrypoint documentation at Traefik EntryPoints Documentation | Traefik | v3.1, but I don't know exactly how to implement it in practice.

I have found a somewhat comparable deployment of the Proxy Protocol at https://github.com/RealOrangeOne/infrastructure/blob/master/ansible/roles/traefik/files/traefik.yml:

...
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: web-secure
          scheme: https
    proxyProtocol:
      trustedIPs:
        - "{{ wireguard.cidr }}"
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ tailscale_cidr }}"
  web-secure:
    address: :443
    http:
...
    proxyProtocol:
      trustedIPs:
        - "{{ pve_hosts.ingress.ip }}/32"
    forwardedHeaders:
      trustedIPs:
        - "{{ wireguard.server.ip }}/32"  # This is obtained from the connecting `proxy_protocol`
...

What I am a little surprised about: the ProxyProtocol Specification specifically forbids port sharing between proxy-protocol and non-proxy-protocol ports:

The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access. Otherwise it would open a major security breach by
allowing untrusted parties to spoof their connection addresses. The receiver
SHOULD ensure proper access filtering so that only trusted proxies are allowed
to use this protocol.

Therefore I am wondering the following:
1.) Is the above configuration described above insecure?
2.) Should I instead set up a specific entrypoint with a specific port dealing with the proxy protocol?

I would be also be very happy about an example .yaml file (or snippet), which works as a basic reverse proxy with a a) Proxy Protocol to HTTPS and b) HTTP to HTTPS redirect.

Your "ProxyProtocol specification" is from another reverse proxy :wink:

I would expect Traefik can handle ProxyProtocol and regular http/s on the same entrypoint (not tested).

For security make sure to set trustedIPs for ProxyProtocol, then use middleware to restrict access.

Yes, I am aware that this is the case. However, this is due to the fact that the ProxyProtocol specification was born from HAProxy. The entrypoint docs for traefik itself also link there (to be more precise, it actually links to v2.0 - which has the same statement).

Apart from the example I posted above, I also found this implementation. Therefore, yes, I assume, it will work. However, based on posts like this Stack Overflow response, I question the security of both of these implementations.
Therefore, I would just like to find out, if my concerns do not apply in this case or if there would be a better way to do it.