I use Caddy as my reverse proxy. It is running on the machine in the basement with all the different docker-container-services on different ports. My registrar is set up so that *.my-domain.com goes to my IP.
Caddy is then configured for 'service-a.my-domain.com' to port 1234, and the others going to their ports. This is just completely standard reverse proxy.
For some subdomains (i.e. different services) ive whitelisted only the local network. There is some config for that.
Im pretty sure that I also have to have adguard do a dns rewrite on the local network as well. That is, adguard has a rewrite for '*.my-domain.com' to go to 192.168.0.22 (the local machine with caddy). I think i had to do this to ensure that when the request gets to caddy it is coming from the local whitelisted network rather than my public IP (which changes every couple months, but could be more).