I tested WAFs in the past, also ones from the big players and while they might block some cheesy stuff on the application layer, as long as they are not heavily tailored towards your application, they stop bein effective against most manual stuff.
Everything lower than application layer ist not a WAF btw, so I am not sure if you mean WAF or some Firewallish stuff.

Just stick to best practices and expose only what you really need to expose. When putting third parties in front of your stuff this als has data protection implications. If using it makes you feel better okay but it should not feel you more secure if you expose vulnerable stuff.

You wrote:

there’s certainly plenty of implementations which i wouldn’t class as obscurity.

without specifying further. How am I supposed to work out what you mean? I did a guess in my last answer and you seem not to care about a discussion on the topic but instead now question me. I

I just wanted to make clear that port knocking is obscurity and maintaining and configuring your still public facing services in a secure manner is essential. There are best practices which I did not define and are applicable here.

If you whitelist your IP that of course helps but I am not sure what that has to do with port knocking. Whitelisting an IP after it knocked right, that would be obscurity. Whitelisting an IP after it authenticated through a secure connection with secure credentials? Why not just use VPN?

I am also not directly commenting on OPs question, as I try to tackle missconceptions in the comments.

Does this method use a cryptographically secure secret which is transmitted encrypted? If not, it is obscurity. If yes, just use normal secure authentication if your goal is security. If you want to get volume down and maybe reduce your risk, feel free to use such things but you should not apply the security label to it.

A WAF won’t magically solve your problems and free you from your attack surface. To be effective it needs contect of the application and a lot of tuning. Your public facing services should be treated, configured and maintained as such. I am not sure if you include a WAF in the stuff that won’t stop exploitation of vulns, but it definitely belongs there. Yes, it can decrease volume and make exploitation a bit harder but that’s it usually. Also don’t just include proprietary third party stuff and hope it solves your problems.

While this helps getting volume down it just adds a layer of obscurity and the service behind should still be treated and maintained as if it was fully public-facing.

Sorry to nitpick but I feel like beimg precise here is important. Nginx is a project, ssh a protocol and VPN an overlay network, so more of a concept. All 3 can be run somewhere on the spectrum between quite secure and super insecure. Also safe and secure are two different things, I guess you meant secure so no big deal.

Mine is managed hosted so I don’t know.