So there is the HOSTED solution which is Nginx Proxy Manager, Traefik, Swag, etc. Once setup then you forward the 443/80 ports to that “app” or server address. From there it securely routes traffic to your “hosted applications”. They can use SSL encryption with Lets Encrypt certificates so that your hosted sites are secured. You can add Authelia to setup Security Access so that you dont have to use the built in application security if you dont want to.
Then there is Cloudflare Tunnels and its Zero Trust solution. It is hosted by them but in order to use it you will need to host a container in docker that connects securely to their services. You setup your site with them, then you setup the container to connect to it securely and once connected you can then add you hosted applications to their hosted solution and they will handle the traffic routing from their site back to your hosted application via your container. It is all SSL encrypted and they use their certificates. You can use an existing domain that you might have (free or paid) with NPM, Traefik, SWAG, or other hosted reverse proxy, or you can just purchase a domain from them and use it (fairly cheap). Once setup you can then go into their Zero Trust side and add the Security. It is a little bit of a learning curve to work with but once setup you can be using something your Github Signon as your SSO for all you hosted applications. You can also set it up so that you only have to reauthenticate every XX number of days. You can opt for their WARP client and a token based authentication, however I am not big on peoples clients on all my devices so I setup a known existing supported provider to be my SSO. Google, Github, and many more can be used.
Documentation for using the Reverse Proxys is immense and support on Reddit and the Facebook groups is huge as it is a long used and trusted solution.
Documentation for using the Cloudflare Zero Trust solution is more scarce and harder to find. I recently setup mine up over a weekend and found it to be decently complicated as a Senior Virtualization Engineer and Architect who specializes not just in the virtualized machines and operating systems, but also the virtualized networking and security. The Zero Trust was the part that got me for a bit, but once I got it working it has been a dream to use. I love it way more than I ever did my Nginx Reverse Proxy as it operates and responds a lot faster being hosted by them and not you, although where you put the container could be a bottleneck as your traffic will go in and out of it. Also solves any and all double NAT issues presented if you have home routers behind AT&T routers and other setups.
Completely true… you should attempt to do streaming over the Cloudflare solution as you will get banned. I would also guess performance might not be great since again the bottleneck is the Cloudflared/Cloudflared container on your network sending and allowing all the data to and from Cloudflare. Fine and dandy for normal work but I would think streaming media and even trying to do something like high end remote video editing is not going to fair well over it unless you give that a lot of good resources and that device itself has a really good network adapter connected to a good switch.
I mean you will still have a bottleneck local hosting and streaming through your reverse proxy anyways since it goes through the SSL encrypted hosted site and if it is Plex it is totally pointless to do other than for hiding purposes like your server is cloud hosted. You are essentially SSL encrypting the SSL encrypted traffic. You might as well add an additional Wireguard VPN around all of it and then attempt to stream something and watch it all buffer and come back and ask everyone for help.