How to Configure Nginx as a Secure Reverse Proxy Server
An Nginx reverse proxy sits in front of your app, accepts client requests, and forwards them to an internal service. This improves security, enables SSL termination, and gives you one place to control headers, redirects, and rate limits. In this reverse proxy tutorial, you will create a basic but secure Nginx configuration for a web application.
1. Install Nginx
On Ubuntu or Debian:
sudo apt update
sudo apt install nginx -yAfter installation, allow HTTP and HTTPS through the firewall if needed, then verify Nginx is running.
2. Create a Reverse Proxy Server Block
Assume your application runs locally on port 3000. Create a new site configuration:
server {
listen 80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}This forwards traffic to your backend while preserving important request details. Enable the file, test the config, and reload Nginx.
3. Add SSL and Redirect HTTP to HTTPS
A proper Nginx SSL setup should encrypt traffic and force secure connections. If you use Let’s Encrypt, Certbot can generate certificates and update Nginx automatically. Your final configuration should include an HTTP redirect and an HTTPS server block:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}This step handles SSL termination at Nginx while your app can remain on a private local port.
4. Apply Basic Security Hardening
A secure Nginx configuration should do more than just proxy requests. Add a few defensive headers and hide unnecessary server details:
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;You can place these in the server block or a shared config file. Also consider limiting request size with client_max_body_size and enabling simple rate limiting for public endpoints.
Recommended security checks
Make sure your backend listens only on localhost or a private network, keep Nginx updated, and renew SSL certificates automatically. If your app supports WebSockets, add the required upgrade headers separately.
5. Test and Reload Nginx
Always validate syntax before applying changes:
sudo nginx -t
sudo systemctl reload nginxThen test your domain in a browser and with curl. Confirm that HTTP redirects to HTTPS, the certificate is valid, and your app responds through the proxy.
Conclusion
This reverse proxy tutorial showed how to build an Nginx reverse proxy with SSL and basic hardening. With a clean Nginx SSL setup, forwarded headers, and a few security controls, you get a practical front end for protecting and managing your application traffic.