Internet facing Perspective server

We are in the process of standing up an Internet facing Perspective server.
We have located the server in a DMZ with 443 external to the DMZ and 8060 internal to the DMZ (remote tag provider).
I had thought we could split Perspective ‘listener’ onto it’s own port thus making Gateway Webpage and designer connections not available (via firewall rules) however it seems we can’t.
In reading other posts I believe we need to implement a reverse proxy.
Currently considering these: IIS, Caddy 2, NGINX. Any preferences? We don’t have a lot of influence over machine provisioning so may have to co-locate the proxy on the Perspective box (Win 2019).
Do we recommend SSL Offloading? Is the performance benefit noticeable?
Also, so that the Gateway webpage is not available from the Internet I was going to block: /web/home, /web/status, /web/config. What is the filter to block designer traffic?


Here is an article I remember reading a few months ago that might point you in the right direction: Public Facing Ignition