Secure authentication in front of a web server open to internet - eviltoast

I would like to open an instance of a web server such as nextcloud, synology, etc to the internet. VPN is not possible since recipients are not a prior known. Reverse proxy seems like a good option.

Cloudflare tunnels provide a layer of authentication in front of the web server. But I don’t want Cloudflare having access to my traffic and don’t know a way to add a layer of encryption to keep Cloudflare out of traffic.

I know authelia, but haven’t worked with it.

What are the options?