Best practice: Tunnels with subdomain for each service or one tunnel to reverse proxy (nginx)?

Hey everyone,

I have a home server and I want to access some services (homeassistant, plex etc) from inside or outside of my home network with the same addresses but without going all the way to the internet and back home through tunnel when I m inside my network.
I’m able to achieve this with two deferent ways:

  1. Cloudflare tunnel with a dedicated subdomain (plex.mydomain.com) for each service pointing at the ip of the service and nginx for the same domain pointing at the ip of the service.
    This way when I’m outside of home, Cloudflare tunnel routes the web address through the tunnel to the service and when I m inside my home, nginx routes to the service without going outside.
  2. Only one Cloudflare tunnel for “*.mydomain.com” and an DNS record for “*.mydomain.com”, pointing to reverse proxy (nginx). Multiple records on nginx for each subdomain pointing to the ip of the service.
    This way when I’m outside of my home each subdomain goes to nginx server who is responsible for pointing to the right ip.
    When I’m inside my home, the serving is the same as the first case, through nginx.

Which model is preferable?

The main concern is in terms of security.