take a look at this article
it’s not specific to NPM but it should be easy to adopt for NPM as well.
If you setup your reverseproxy and Nextcloud right you will receive real-ip in the logs and security features like bruteforce protection remain operable as well.