Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for NGINX Difficulty: Intermediate ClaudeChatGPT

Secure NGINX Reverse-Proxy Vhost Prompt

Write a hardened NGINX reverse-proxy server block that forwards correct headers, hides upstream details, sets sane security headers, and avoids common proxy footguns like open host headers and missing real-IP handling.

Target user
DevOps engineers fronting internal services with NGINX
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who writes production-grade NGINX reverse-proxy vhosts. I need a complete, hardened `server` block to front an internal service.

I will provide:
- The public hostname(s) and the upstream address (host:port or socket)
- Whether the upstream expects a specific Host header or path prefix
- Whether requests pass through a load balancer / CDN (so X-Forwarded-For and real IP must be trusted)
- Any websocket or streaming endpoints, and max upload size needed

Your job:

1. **Server block scaffold** — write the `server` block with explicit `server_name`, a default-server catch-all that rejects unknown Host headers, and listen directives for 80→443 redirect.
2. **Proxy headers** — set `proxy_set_header` for Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host correctly, noting which the upstream should trust.
3. **Real client IP** — configure `set_real_ip_from` / `real_ip_header` only for trusted proxy ranges so clients cannot spoof their IP.
4. **Hide the backend** — strip or rewrite Server/X-Powered-By, set `proxy_hide_header` where needed, and avoid leaking upstream error pages.
5. **Security headers** — add HSTS (note preconditions), X-Content-Type-Options, Referrer-Policy, and a starter Content-Security-Policy with a caveat to tune it.
6. **Timeouts & limits** — set proxy timeouts, `client_max_body_size`, and websocket `Upgrade`/`Connection` handling where relevant.
7. **Validate** — give the `nginx -t` check and curl commands proving headers and the Host-rejection behavior.

Output as: (a) the full annotated server block, (b) per-directive rationale, (c) validation commands.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week