I use Caddy as a reverse proxy, but most of this should carry over to nginx. I used to use basic_auth at the proxy level, which worked fine(-ish) though it broke Kavita (because websockets don’t work with basic auth, go figure). I’ve since migrated to putting everything behind forward_auth/Authelia which is even more secure in some ways (2FA!) and even more painless, especially on my phone/tablet.

Sadly reverse proxy authentication doesn’t work with most apps (though it works with PWAs, even if they’re awkward about it sometimes), so I have an exception that allows Jellyfin through if it’s on a VPN/local network (I don’t have it installed on my phone anyway):

@notapp {
  not {
    header User-Agent *Jellyfin*
    remote_ip 192.160.0.0/24 192.168.1.0/24
  }
}
forward_auth @notapp authelia:9091 {
  uri /api/verify?rd=https://authelia.example
}

It’s nice being able to access everything from everywhere without needing to deal with VPNs on Android^ and not having to worry too much about security patching everything timely (just have to worry about Caddy + Authelia basically). Single sign on for those apps that support it is also a really nice touch.

^You can’t run multiple VPN tunnels at once without jailbreaking/rooting Android