I do client ssl verification.
Nobody but me or my household is supposed to access those anyway.
Any failure is a ban (I don't remember how long for).
I also ban every IP not from my country, adjusting that sometimes if I travel internationally.
It's much easier when you host stuff only for your devices (my case) and not for the larger public (like this lemmy instance).
How do you have this set up? Is it possible to have a single verification process in front of several exposed services? Like as part of a reverse proxy?
Yes it's running in my reverse proxy.
Nginx is doing my "client ssl verify" in front of my web services.
You can even do this on a per uri/location.
For example, my nextcloud is open without client certs so I can share files with people, but the admin settings path is protected by client ssl.
Yup, there are many ways of doing that. Most reverse proxies should support basic auth (easy, but browser UX is terrible and it breaks websockets) or TLS client auth (even worse browser UX, phones are awful).
The best thing is do something like Caddy + Authelia (which is what I currently do with most things, with exceptions for specific user agents and IPs for apps that require it, aka non-browser stuff like Jellyfin),
Some apps now have support for client certs (home-assistant ❤).
Nextcloud is one of the only apps that's open without client ssl because it'd be highly inconvenient to share a file link with someone if I had to install a cert on their devices.
Plex app never works right for me so I just use the browser. My TV is too old to have old built-in so I have a VM in which I use a browser to watch plex.