i highly recommend the use of wireguard, reverse proxies and letsencrypt (i have a nice one https://mleku.dev/git/lerproxy - the R is in the name as i intend to eventually add URL rewriting to it, but haven't wrapped my head around it yet)

if you have never used wireguard yet, today's a good day to play with it

i used to wish it was easier to do SSH tunnels for years and then somehow i finally was persuaded to look at wireguard and i've never looked back

they use better encryption than SSL/TLS too, using chacha20 Curve25519 ECDH, Blake2S hash/MAC, Siphash24 for hash tables and HKDF

https://www.wireguard.com/protocol/