OooOOps i forgot to reply to the reverse-proxy question...
This is also very nuanced. "Sure" you can put it behind a reverse proxy -- like zrok!!! 
(you should check out zrok if you haven't already, I bet you'll love what it does too)
BUT -- you can also choose to host the ZAC and ergo the management api on a wholly different IP/port. We call that "splitting the api". Here's a discourse post and couple videos we did two years ago on the topic: