In order to be available to the world, that node keep online an SSH reverse tunnel to Reyboz similar to this one:
autossh -R 8081:localhost:80 border-tunnel@reyboz
And in Reyboz we have a small Apache proxy that exposes the incoming HTTP traffic to that opened 8081 loopback port with something like this:
/etc/apache2/sites-enabled/border-radio.static.conf
<VirtualHost *:80> ServerName static.border-radio.it # serve some local files (just temporary certificates actually) DocumentRoot /home/www-data/reyboz.it/static/border-radio # allow to renew let's encrypt certificates when it creates temporary stuff in this directory ProxyPass "/.well-known" "!" # proxy enabled by a reverse SSH tunnel from an hidden LAN from a secret single board computer. asd ProxyPass / http://localhost:8081/border-radio/ ProxyPassReverse / http://localhost:8081/border-radio/ </VirtualHost>