Securing Jenkins external access

We have Jenkins 2.236 running behind a nginx 1.10.2 on a centos 7 virtual machine.
Currently we have jenkins not accessible externally at all for security reasons.
Now we want to have at least some functions exposed externally (for example getting out Bitbucket cloud webhook to register with it).
We can whitelist incoming connections to jenkins from our firewall but we want to secure our jenkins even more.
Is it possible to not show the jenkins login page (or any page) and all non-webhook functions unless they are from a specific IP or source? or can these be restricted by port? as in the webhooks are not done with HTTP/HTTPS ports?

The common solution is to use a proxy of some sort that just handles webhooks.

is one solution. You could also have 2 http proxies/load balancers, one that allows in all traffic, and another that allows /webhook /github-webhook /whateverotherurlyou want

thanks. i will check that out