It needs only /socket. You can hide that by renaming it to something sufficiently random, then forwarding it correctly in the reverse proxy.
Same for the whole web UI. Put it into a random subdir, then put that as URL in the settings for clients to access the web interface. Or add basic auth.
You can use Cloudflare Zero-Trust tunnels with OTP by email. As On-prem option I can recommend something like Netbird App Proxy. Some firewalls allow app proxy as well as commercial services like MS Entra ID App Proxy. You can also try to integrate something like Nginx + Keycloack, or Caddy/Traefik/Openresty etc.