Well I have a solution.
I wasn't expecting this to work (two ssh tunnels sort of 'back to back') but it does:-
On the boat system I do:-
ssh -R 45678:localhost:80 myaccount@system.inthe.middle
and on my home system:-
ssh -L 45678:shell.gridhost.co.uk:45678 myaccount@system.inthe.middle
then I can point my browser at localhost:45678 and it sees the apache server on the boat.
It's as secure as I need. The boat has a passphraseless public key to log in to myaccount@system.inthe.middle so can connect unattended, the ssh process is kept going by a little utility called autossh that monitors it and restarts if necessary.
From my home system to myaccount@system.inthe.middle there's public key
authentication with a passphrase protecting the key so it's "transparent" as long as I'm logged in. I can just fire off the ssh -L from my .xprofile.
As I say I hadn't realised that the two ssh tunnels would hook together so easily and painlessly, it just worked the first time I tried it and all I have to do in addition is add a couple of options to make it 'quieter' and everything is sorted.
Thanks for all the help and thoughts, I may well investigate the VPN approach in the longer term as it might well provide a lot of things that I need all in one go.