Reverse proxies are the best solution, IMO. It’s generally good practice to forward as few ports as possible. Using a reverse proxy in tandem with a domain name allows you to setup subdomains for your various services while only forwarding ports 80 and 443.
For example, you could have plex.yourdomain.com and nextcloud.yourdomain.com.
To improve security, you can configure your reverse proxy to redirect all HTTP traffic to HTTPS.
There are a ton of tutorials for reverse proxies online. Space invader one made a video about setting up NGINX for unraid. Just be aware that it can sometimes get a little technical, since you pretty much are required to use the command line to configure NGINX.
The most secure network is one that is not connected to the internet at all. But obviously that is not at all practical, and there will always be zero-day vulnerabilities. Taking steps to mitigate those potential vulnerabilities is the best you can do. Using HTTPS, only exposing ports 80 and 443, routing all external traffic through NGINX, using strong passwords and 2FA where possible, and limiting access / permissions of services and directories to only the essentials is a pretty good strategy.
Here’s a great resource if you’re new to system security: https://www.freecodecamp.org/news/server-security-tips/
I might have missed a few things. Others feel free to chime in.
