Of course, the reverse proxy has to take care of authentication/authorization as well - I took that for granted.
The most simple method would be to use HTTP authentication (basic, digest, NTLM, Kerberos).
Personally, I use Cloudflare Access, which is quite simple to set up and allows authentication with your Google/Facebook/Github account (for which you can enable 2FA). It's free for up to 5 users.
@janwerner Thank you! So you already have to run your hubitat behind a reverse proxy for that to work? I've tried that but cannot edit code. Do you have any issues with that? My reverse proxy is Apache 2.
optionally: enable Authenticated Origin Pulls to prevent unauthorized access in case someone should be able to spoof their IP address
optionally: set up JWT token validation (this is somewhat difficult, I haven't been able to get this working yet, but the setup shoudl be sufficiently secure without it if you use Authenticated Origin Pulls. If you can get get it working, feel free to share your progress )
One thing that is nice about proxying traffic through Clouflare is that your site will be reachable via IPv4 and IPv6, but it's enough to have either IPv4 or IPv6 connectivity on your end. So even if your ISP only offers IPv4, your site will also be reachable via IPv6.
If you do have IPv6 connectivity, you will be able to publish more than one server by only exposing the reverse proxy via IPv6, because IPv6 restores end-to-end connectivity, i.e. every device on your network has its own public IP address and there's no NAT in between.