@shlomi I assume you mean the web server is installed on another server (and not on the same one as Cloudron). If that's the case, then it's fine. Otherwise, we don't support running additional applications on the same server as Cloudron.
(why is cloudron not using DNS-level validation for SSL so we will not need to open posts if we do not want/need. )
This is the case already. You have to use one of the programmatic DNS providers (and not manual or wildcard). If you do this, you don't need to open port 80. Please see https://docs.cloudron.io/certificates/#port-80-requirement