The informations you enter in the detail panel are the ones you need to access the service.

Say, you have a default installation of Vaultwarden on the port 1234, you can access it directly, in http, with the URL http://hostname:1234, and therefore, you will need to configure NPM so that the new proxy host access the service with the http scheme, on the hostname host, with the port 1234.

Now, you change your installation of Vaultwarden, and add all the necessary TSL public and private keys that it requires, then you will need to directly access your instance with the https scheme, on the https://hostname:1234 URL, so that the TLS handshake can be performed and a secure connection can be made. The NPM configuration then will need to use the https scheme as well to access the service, otherwise, NPM won’t be able to properly connect to the service and it will fail.

That’s for the “internal” part of your configuration. You can still provide a service with TLS certifications, force TLS and everything, that will be for the external part of your service. If you trust your network, the communication inside it, or the device that holds all your services, it’s totally fine to use an http scheme to access your service internally. But if you have to access it through a network that you don’t trust, say, all the communications are unencrypted, and your NPM host is not the same as your Vaultwarden one, then you should definitely go through the hassle of setting up all the TLS encryption directly inside Vaultwarden first, and access it only with the https scheme.