I see no problems with security for your current setup, frankly.
Some reading materials on using Caddy in a home network:
Yep, just handle the requests with a request matcher.
A common pattern is to do something like this:
example.com {
redir /foo /foo/
handle /foo/* {
reverse_proxy localhost:8096
}
handle {
# Any other requests are caught by this
}
}
I recommend making use of subdomains instead of subpaths though, like jellyfin.melbatoast.hopto.org or whatever. It’s a cleaner solution, and avoid potential issues with apps that don’t behave well when proxied in a subpath. See this article for an explanation:
There’s not really much to do for “efficiency”, the defaults should already be good enough (i.e. you probably don’t need to override the roll options at all)
It’s not required, but it does compress responses and therefore takes up less bandwidth, and is usually faster due to lowered data transfer times.
Security by obscurity is not really that useful. If you have authentication on your Jellyfin server, it’s good enough.
There’s not really much tooling out there yet to handle Caddy’s style of logs unfortunately.
I don’t use any IP blocking tool for my home networking setup, and I have no problems. It’s not usually that common to get hit with lots of traffic. You probably won’t need to worry about it.