yes, "https from wan" is off and should stay off.
In the legacy firmware was a checkbox in the IPsec Config to "enable remote http(s)". I did not find this in the new firmware.
I guess this will generate a firewall rule similar described by Voljika. Probably this generated rule was lost by update.
Adding a custom firewall rule before the update surely is a viable workaround ...if somebody is able to see the future ;-)
I will use this for further upgrades. Nevertheless i regard this behavior as a bug.