Maybe use cloudflare, then create a firewall rule that limits connections to 80/443 inbound ONLY from Cloudflares subnets?

You can then get some pretty decent metrics and they even have a bot filter along other stuff