if you are using cloudflare anyway then consider using their argo tunnels, that way you can just drop inbound web connections entirely.
this helps protect against the “CDN bypass” attack and mass scanning based origin discovery. https://t.co/Aam6ujPx7o