i run a wireguard server on mine and only listen on the wireguard port. eliminates all the logs of idiot scripts trying to hax the server. also, i call bullshit on ssh tunneling being easy, it most certainly is not, and routing capabilities are even more arcane, i'm sure. why invent a second language to express rules that could be done with iptables?

I don't use a tunnel normally and no I don't use port 22 :) You can simply configure an nginx stream to forward ingress on port 443 directly to home. This is how enterprise L4 load balancing is handled. Youll want to enable the HAPROXY protocol so you can use client IPS to do L7 rate limiting.

Now you are beyond me which would delight @YODL but I'll have to bookmark this and come back to it once I have something I want to host.