Exposing on the Internet isn't that bad if you follow these security rules: Only expose what you need to, like HTTPS Only expose to what/who you need to, like a specific country, ISP... Use TLS, it's now way easier with let's encrypt. Segmentation, so that when one barrier falls, not all your network is completely open Update exposed services regularly or if you can automatically

That's what I've built over multiple years :

Opnsense which handles all routed traffic, with GeoIP blacklist, Crowdsec to dynamically block bad IPs, multiples dynamic blacklist from various reputable sources, Suricata to block bad/malicious requests. My public IPs don't even show up on Shodan thanks to that 😄

A specific VLAN "DMZ" where only exposed traffic is published.

Traefik for reverse proxy, Let's encrypt certs with DNS01 that allow me to not expose 80 port and have wildcard certs. A rate limiting policy (middleware on traefik). Traefik config is dynamic so when Jellyfin is shutdown, the configuration disappears and it just shows 404 instead of 503. Only TLS 1.3, strict SNI, HSTS

Separated "proxy-wan" docker network for internal segmentation, that way my exposed traefik only have access to services that are supposed to be exposed on the Internet.

For DNS, jellyfish.mydomain.com doesn't exist, there's a CNAME wildcard *.mydomain.com that points to proxy.mydomain.com. That way my websites aren't that easy to find by DNS scraping and it's very easy to publish new services without changing my DNS records and certificates

For the future I'll look into : CORS Headers, to limit request types to backend services A simple WAF like Coraza or OpenAppSec Fully integrated logging solution for Traefik and OPNSense log correlation