Good questions!
When you deploy a web service, including those that use custom Dockerfiles, Render does port detection to figure out where it should forward incoming traffic for your service. If you’re using a particular port, you can speed up port detection by setting a PORT environment variable, but this isn’t necessary. You don’t ever need to expose port 443 or even port 80 for that matter. Render will find the open port where your server is listening for HTTP traffic.
As you picked up on, all requests to Render services go over HTTPS. HTTP requests are redirected to HTTPS, our load balancer terminates TLS for your service, and requests are forwarded on to your HTTP service inside a private network.
In other words, you can just serve everything over HTTP using whatever port you like and Render automatically encrypts all traffic.