If SQL Server is only serving the web server, it's simple: make sure that only ports 80 and 443 are open in the firewall. And particularly, make sure that the ports related to SQL Server are closed. That is, the port which the instance is listening to (which you find in the SQL Server error log) and UDP port 1434, used by the Browser service.

You can even take it one step further and disable TCP and named pipes altogether on the instance.

In many cases, you want to be able to access the server instance from other machines in your own network. The common solution to this is to put the web server in what is called DMZ, which is outside your corporate firewall.

Also make sure that your web application is not prone to SQL injection.