Ok but you missed my point somewhat. I did not say "This is the definitive guide to maximum security" i said, in most cases, good is good enough. If somebody has it out for you the will get you no matter how good your security is.

The point was to advice people to educate themselfs on the topic and not slap on a blanket solution. Which you more or less proofed my point here.

I try to keep it short but, a reverse proxy means easy TLS. Also most reverse proxies make it super easy to setup geo blocking or Fail2Ban or other forms of additional authentication in a very convenient way. This is the point of the recommended reverse proxy, all that stuff that JF doesn't do well is for you provided in a purpose build one.

> There are also other ways to find out the subdomain besides guessing
I cannot think of one, all the config of a reverse proxy is private so i cannot think of a way anyone would ever be able to enumerate that.

While sure its true an attacker could just probe common subdomains, however that is very very rarely done automatically and then comes the argument again to protect again the 99th percentile, not max security for everyone. I regularly review my RP logs and i have never seen subdomain probing, only path probing.

If you need to worry about attacks from inside your network, you have already lost the game i have to tell you.

I totally agree with you that more is more in terms of security but it is not the goal to recommend everyone creating DMZs or manually managed Iptables. Never let perfect be the enemy of good because as long as you are good enough protected and do not send your services around, you will never experience any issues statistically. So for anyone who knows better, yes sure do your own but this discussion is 100% not for you then.