The question is how to pass commands to the Espruino, and receive info from it, over the internet... without exposing the Espruino to incoming connections.
Here's what I've done:
Espruino receives commands by http requests over the LAN - these can either return data or do things.
For getting data, there are a number of php scripts (one for each data-getting-request on the Espruino) which, if the request comes from the correct IP address, will take a base64-encoded string (the response from the Espruino), decode it, and store it with apc_store(). And there are an equal number of php scripts that return that data (in the same format as the Espruino returns it, so I can use the same page inside the LAN and outside, by using different URLs depending on window.location.hostname).
For sending commands, there's one php script that stores a command (this would be the url that would be requested from within the LAN to affect the desired result - again to allow the same page to easily work both inside and outside the LAN) via apc, and another which gets and clears this list.
Finally, a raspberry pi within the lan has cronjobs that call python scripts, which get data from the Espruino, base64 encode it, and pass it to the php scripts on the outside webserver, and one that grabs the command list, and if not empty, makes the requests that are specified.
It appears to work, as long as I avoid making two requests to the Espruino simultaneously....