Unless you need it to be reachable from the Internet, at which point it has to be... reachable from the Internet.

Not expose the server IP is one practice (obfuscation) in a list of several options.

But that alone would not solve the problem being a RCE from HTTP, that is why edge proxy provider like Cloudflare[0] and Fastfy[1] proactivily added protections in his WAF products.

Even cloudflare had an outage trying to protect his customers[3].

- [0] https://blog.cloudflare.com/waf-rules-react-vulnerability/ - [1] https://www.fastly.com/blog/fastlys-proactive-protection-cri... - [2] https://blog.cloudflare.com/5-december-2025-outage/

Any server? How do you run a public website? Even if you put it behind a load balancer, the load balancer is still a “server exposed to the internet”

You're going to hate this thing called DNS

Is there a way to do that and still be able to access the server?

As in "always run a network firewall" or "keep the IP secret"? Because I've had people suggest both and one is silly.