I figured it out, you need to add the zones to the static-nat and create a policy between trust and dmz allowing http/https and you can reference your public address in DNS for internal clients (helpful with VPN clients using internal DNS servers) they might not have access to other zones and this way they will access your published resources via thier public address;-)
Here is my configuration for reference, I wish more people would post these lol...
I also cleaned up my FW policies as all traffic is denied by default until you create a rule allowing it so now the only thing I have is trust to untrust, dmz to untrust, and untrust/trust to dmz for http/https and a deny rule with logging for anything coming from untrust to dmz.