[techcode]

Modern take would be to simply not open anything to the outside world - except WireGuard (TailScale or such).

From there everything is either considered "localhost" or a local network.

You can setup one or two central boxes (actual home lab "server" where you already have HTTP based services, and a raspberry pi zero 2 for backup) with TailScale.

With remote devices (including phones) in same tailscale network - you can access anything in home network as if you're physically home (but also have ACLs for kids/friends/etc).

On the other (professional) end - well then NginX and SSH are not even on the same network interface. And you run NginX LB/ReverseProxy on separate boxes compared to where actual apps/websites are ...etc.

[KenHV]

This setup is the most secure, but it's also the most limiting - it's feasible only if you're hosting services for yourself or a couple of people.

[klaussilveira]

Wouldn't that violate the concept of zero trust?

[techcode]

Which "zero trust" are you thinking off?

In case of "zero trust network" the answer is no it doesn't violate.

With WireGuard or TailScale/CloudFlare/etc you still know/verify identity of every person/device that has access to the (virtual and through it real) network.

[mobilio]

I'm using similar approach but with ZeroTier.