A reverse proxy is one of the most powerful building blocks in modern web infrastructure. It sits between users and your backend services, acting as a gatekeeper that can improve performance, enforce security policies, and control traffic.
In this article, I'll walk through how I built a secure reverse proxy using Nginx, including:
- Reverse proxy architecture
- Rate limiting to stop abuse
- Security headers for safer responses
- Request logging for visibility
By the end, you'll have a practical setup you can deploy in front of your applications.
Reverse Proxy Architecture
At a high level, a reverse proxy sits between clients and your backend servers.
Instead of users directly accessing your application server, all requests first go through the proxy.
Client
│
▼
Reverse Proxy (Nginx)
│
▼
Application Server
Benefits of this architecture:
- Hide internal infrastructure
- Centralize security policies
- Terminate TLS in one place
- Add traffic filtering and monitoring
Example scenario:
Internet
│
▼
Nginx Reverse Proxy
├── API Server (Node.js)
├── Web App (React / Next.js)
└── Admin Panel
This makes Nginx the entry point for all incoming traffic.
Basic Nginx Reverse Proxy Configuration
A simple reverse proxy configuration might look like this:
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What this does:
- Accepts HTTP requests
- Forwards them to the backend application
- Preserves client IP information
This is the foundation, but by itself it doesn't provide much security.
Adding Rate Limiting
Public services often face bot traffic, scanners, and brute-force attacks.
Rate limiting helps protect your application by restricting how many requests a client can make.
First, define a rate limit zone:
http {
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
}
Then apply it in your server block:
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
proxy_pass http://backend_api;
}
This configuration:
Limit: 10 requests per second
Burst: allow short spikes
Protects API endpoints from abuse
Rate limiting is especially effective against automated scanners and brute-force attacks.
Security headers help protect browsers and users from common web vulnerabilities.
You can add them directly in Nginx.
Example configuration:
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'";
These headers help defend against:
clickjacking
content-type sniffing
cross-site scripting
data leakage
They add an additional layer of client-side protection.
Enabling Access Logging
Logging is essential for visibility and incident response.
With Nginx logs you can:
- detect suspicious traffic
- identify attack patterns
- debug application issues
- analyze performance
Example configuration:
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
You can also customize log formats:
log_format security_log '$remote_addr - $request - $status - $http_user_agent';
access_log /var/log/nginx/security.log security_log;
Useful data in logs:
client IP
request path
HTTP status codes
user agents
request timing
Logs often reveal automated scanning and attack attempts hitting your endpoints.
In production environments, you may want to go further.
Additional best practices:
Enable HTTPS with TLS
Disable unnecessary HTTP methods
Hide server version information
Restrict admin endpoints
Use upstream health checks
Example:
server_tokens off;
This prevents Nginx from exposing its version number in responses.
Final Thoughts
A reverse proxy is much more than just a traffic router — it can act as a powerful security layer in front of your applications.
With a few Nginx configurations you can implement:
traffic control
security headers
request logging
basic attack mitigation
These protections significantly reduce your exposure to automated attacks.
If you want a ready-to-use security layer, projects like SafeLine WAF implement many of these protections out of the box.