I use the synapse container, I followed the docs on matrix.org.

As far as a revere proxy I use the SWAG container from linuxserver. My matrix instance isnt exposed to the internet or federated but it used to be. When it was exposed I was using fail2ban to ban exploit attempts but if I were to set it up again I’d probably use crowdsec instead. They are both built into SWAG.