I'm no expert, but I think you could have the reverse proxy node be the only thing whitelisted to be accepted by the nodes you want behind the proxy (via their tailscale IP). I believe this would all be done in their ACL JSON.