Sure, so I use Caddy as a reverse proxy for all my subdomains, the public ones direct straight to whatever service(s) are on IP:port etc, then the private ones only allow private IP ranges of which one is my VPN subnet, therefore only allowing LAN and VPN access. I then also have a section for each of the private subdomains with Authelia authentication which is omitted here:

(allowed) {
	@allowed client_ip 192.168.1.0/24 192.168.10.0/24 192.168.20.0/28
}

sub.domain.com {
	import allowed
	handle @allowed {
		reverse_proxy 192.168.80.8:8080
	}

	handle {
		abort
	}
}