If you want an encrypted tunnel maintained by inetd or systemd socket activation, then stunnel is easier to use in this context than ssh.

Edit: I put stunnel on port 443 and have it connect to port 80 on my Apache webservers, because I like one way of doing TLS.

This guide has been useful for many years in cipher selection:

https://hynek.me/articles/hardening-your-web-servers-ssl-cip...