Hi Bart, a BIG fan of your nodes / tutorials here...
Sorry to jump into this post so late, it seems like you've already decided to take the ZT route, but I would advocate for CF on this one. IMHO it's way more easy to configure than any other alternative (I did try ZT first), it provides the SSL management lifecycle free and very easy to setup, it includes simple access controls (both for humans and machines accessing your LAN) integrated with major IdP in the case of humans, or rotating api-keys...
If I was able to set that up, anybody can 
I did this post some months ago showing how to set it up for a node-red running on a RPi... Free and SSL secured access to your node-red instance running on a Raspberry Pi
Now, I have to be honest, I would love for you to conduct a detailed study of your own on CF because I would learn a lot, I'm sure... 
