its the internet, they are. Putting it behind cloudflare and locking down the firewall to only allow their ips has filtered out pretty much everything. its free and pretty straight forward if you own your own domain.
check your nginx access logs, I’m sure they’re full of people poking it.