My approach is based on kubernetes, but maybe you could achieve it with Docker. I’ve managed using Traefik v3 as a “internal proxy”, cloudflare tunnel pointing to the internal traefik service, external dns to update the DNS records in cloudflare and kubernetes ingresses (with traefik as a controller) to manage the traffic for each domain name.
The trick for ActivityPub was a Traefik File Provider, which create a special kind of service and proxies the required requests to ap.ghost.org
If you want to try the Traefik method, I can give you more details or you can also refer to this topic ActivityPub at Ghost in Docker + Traefik and Cloudflare from @caeike who solved the problem.