when you use stunnel on the same computer of hfs, all connection trough stunnel to hfs in https are made with the 127.0.0.1 ip, then it's not necessary to use the ban if you allow only connexion on this IP
check menu -> Accept connexion on > 127.0.0.1
select for hfs an other port than 80, by example responding on 43080
if you have another computer or a tablet , you can verify that the direct access to hfs using
http://192.168.xx.xx:43080 fail where 192.168.xx.xx is the ip of your computer on local network