Hardening Admin page without VPN

Hi currently i have my server url https://my.domain.com and wss://my.domain.com/socket for internet clients.

But i don’t want to expose urbackup web publicly.

I saw some configurations with firewall rules allow perticulair locations ips. But thats not what im looking for.

This is my caddy configuration currently:

my.domain.com {
encode {
zstd # best compression
gzip
}
log {
output file /var/log/caddy/access_urbackup.log {
roll_size 750MiB
roll_keep 10
roll_keep_for 720h
}
format json
}
reverse_proxy 192.168.0.130:55414 {
}
}

Now im wondering which endpoints urls and methods are needed for internet clients to do the image and file backups?

my.domain.com/socket* is that enough or does the client still need to do http put post get reqeusts for other functionality of the clients it self?

IM TRYING TO HARDEN THE INSTALLATION. SO DISABLE THE WEB UI PUBLICLY WITHOUT FIREWALL SOURCE IP RULES BUT WITH THE REVERSE PROXY.

IT WOULD BE A BONUS IF ADMIN SETTINGS ARE NOT PUBLICLY BUT FILE RESTORE FOR CLIENTS ARE AVAILABLE AS WELL.

It needs only /socket. You can hide that by renaming it to something sufficiently random, then forwarding it correctly in the reverse proxy.

Same for the whole web UI. Put it into a random subdir, then put that as URL in the settings for clients to access the web interface. Or add basic auth.