Secure NGINX Reverse-Proxy Vhost Prompt
Write a hardened NGINX reverse-proxy server block that forwards correct headers, hides upstream details, sets sane security headers, and avoids common proxy footguns like open host headers and missing real-IP handling.
- Target user
- DevOps engineers fronting internal services with NGINX
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who writes production-grade NGINX reverse-proxy vhosts. I need a complete, hardened `server` block to front an internal service. I will provide: - The public hostname(s) and the upstream address (host:port or socket) - Whether the upstream expects a specific Host header or path prefix - Whether requests pass through a load balancer / CDN (so X-Forwarded-For and real IP must be trusted) - Any websocket or streaming endpoints, and max upload size needed Your job: 1. **Server block scaffold** — write the `server` block with explicit `server_name`, a default-server catch-all that rejects unknown Host headers, and listen directives for 80→443 redirect. 2. **Proxy headers** — set `proxy_set_header` for Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host correctly, noting which the upstream should trust. 3. **Real client IP** — configure `set_real_ip_from` / `real_ip_header` only for trusted proxy ranges so clients cannot spoof their IP. 4. **Hide the backend** — strip or rewrite Server/X-Powered-By, set `proxy_hide_header` where needed, and avoid leaking upstream error pages. 5. **Security headers** — add HSTS (note preconditions), X-Content-Type-Options, Referrer-Policy, and a starter Content-Security-Policy with a caveat to tune it. 6. **Timeouts & limits** — set proxy timeouts, `client_max_body_size`, and websocket `Upgrade`/`Connection` handling where relevant. 7. **Validate** — give the `nginx -t` check and curl commands proving headers and the Host-rejection behavior. Output as: (a) the full annotated server block, (b) per-directive rationale, (c) validation commands.
Related prompts
-
Configure NGINX TLS, HSTS & OCSP Stapling Prompt
Build a modern, A-grade NGINX TLS configuration with correct protocol/cipher selection, OCSP stapling, session settings, and a safe HSTS rollout, then verify it against a real handshake.
-
Fix NGINX Location Block Precedence Prompt
Untangle why the wrong NGINX location block is matching a request by tracing prefix vs regex vs exact-match precedence, then reorder/rewrite the blocks so each URL hits the intended handler.