Most secure way to use SPICE when outside of LAN (Apache reverse proxy)?

[xapt]

Hola, amigos.

I'd like to use a certain VM as a VDI when I'm not at home.
Right now, it is set up as following:

Internet => connecting to proxmox.domain.tld using Apache reverse proxy on Port 443 that forwards me to port 8006 using a Linux VM => SPICE using port forwarding on port 3128 to proxmox.

It doesn't feel very secure, since the port 3128 is forwarded directly to proxmox. Is there a more secure way to make SPICE work without exposing my proxmox on port 3128 directly to the internet?
Unfortunately, VPN is out of question, since the network I'm in doesn't allow outgoing VPN connections. Is there any way I can relay the port 3128 to proxmox without exposing the proxmox machine to the internet? Something like Apache reverse proxy? I don't think Apache can forward TCP connections directly.
Any other ideas how to use SPICE from WAN?

 

[blindrain]

I'm looking for a similar setup though I plan on using https://github.com/joshpatten/PVE-VDIClient for the client. I've figured out how to hide theProxMox interface with Nginx. but is 3128 secure enough to leave port forwarding open? I've been trying to come up with a way to implement port knocking to make this work.

 

[shalashaskatoka]

Hmm. I think using SPICE through the hypervisor itself for daily use is not the right approach.

If you want a remote visual session on any windows or linux host with out any fiddling, try this. I ended up with this solution after years playing with other methods:
https://www.nomachine.com/remote-access-for-everybody

You could also try this. It was a bit fiddly with x11 sessions last I tried it with linux hosts. Maybe its better now? Windows support was good as well. :
https://guacamole.apache.org/

Either way, I think you want to remote direct into the VM instead of coming in " over the top" through the hypervisor.