You would have to set only 2 rules in firewalls for this (the less the rules the less resources for this job).
The path in official documentation:
Your Pi is at home (protected from world natties by your router that defaults to block anyone asking anything from the outside... unless it has uPnP enabled)
So, first, on the Pi change password for user pi and its name (search recent thread here in my posts->)
If you have already started your web server, use the native firewall in linux (netfilter/iptables). If lost there, install gufw (gnome uncomplicated firewall) from official Raspbian repo. You have 3 profiles there : one is firewall disable, two are firewall enable (not sure if the single difference in these 2 is supported by the current raspbian kernel : the diff is, when a visitor knocks the door and the firewall is instructed by the defaults and you to refuse to let he come in, either the firewall will reply why or will reply nothing).
As long as you're in front of the pi keyboard, you can select one of the 2 active profiles in gufw (the firewall won't prevent you from local logins)
Then learn some bits of SSH
, yet embedded in mostlinux distributions.
Choose/select for keys authentication for your ssh server, so create your keys, put the public part in the file ~/.ssh/authorized keys, set your SSH server to refuse password authentication (all this is in the official doc).
Test your ssh login
Then you can create the firewall rule to accept ssh from anywhere (anyone being you ATM, regards to your private key (don't leave it unprotected)).
Go out of home (with your IP in mind), retest: if you can login and never put hands in the firewall of your router, that means it had uPnP enabled (imagine rotten server softwares in Windows or even Linux or any box with IoT inside to ask your router to open their door!). Now decide to leave uPnP enable and you're done with ssh, or decide to disable it then will have to walk a last step: set your Pi for a static IP (the way you want, real static set in the Pi, or my preferred (centralization), a dhcp lease in your router) so that then you can instruct the router to allow SSH (port 22>22 or random>22, or random>same-random (for this last, set the ssh server port in the conf where you disabled password auth etc...)) in to the Pi.
Once your http server is secured with its own methods, go back in your router to instruct it to allow http[ s ] to the Pi (which yet have it's own static IP).
Then you can use VNC over SSH to gain remote GUI access to your Pi () I prefer this than relying on an additional service for security (VNC). You only need to choose the VNC client you'll give your trust. I stuck to my old VNC 5 for accesses from Windows because I hate to install new softs, and for my nuxes I selected Remmina long ago, so I stick with it.
You'll love this peace of mind: help with your /etc/hosts file:
pi public IP # for remote access. Or "pir" in this line
pil lan IP #the one you set ( in the router dhcp lease or static). Or "pi" in this line
In terminal ssh pi
when you just want a command line on the Pi (or ssh pir, or pil, see above)
In Remmina GUI, simple double-clic a pir
VNC type entry to have remmina trigger the ssh tunnel and place the VNC over it when I want the Pi Gui. You may here also want another entry (pil, calling hosts' pil entry) for when you're at home (in bed away from keyboard).