5 Nginx Reverse Proxy Mistakes That Silently Break Your Services
InfraPilot Team
February 12, 2026
1. Forgetting to Pass the Host Header
By default, Nginx passes its own server name as the Host header to upstream services. This breaks applications that rely on the original hostname for routing, virtual hosting, or CORS validation.
The fix:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;Add these to every proxy block, or better, to a shared proxy_params file that you include everywhere.
2. Not Configuring Proxy Timeouts
Nginx's default proxy timeout is 60 seconds. For long-running operations (file uploads, report generation, webhooks), this silently kills connections. The client sees a 504 Gateway Timeout with no clear indication of why.
The fix:
proxy_connect_timeout 60s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;Set these based on your slowest legitimate operation. Don't blindly set them to 3600s — that opens your server to slowloris-style attacks.
3. Exposing Internal Services via location /
A common pattern is proxying all traffic to a single upstream with location / { proxy_pass http://app:3000; }. The problem: this often unintentionally exposes debug endpoints, admin routes, or internal APIs that should never be public.
The fix: Be explicit about what you expose. Use separate location blocks and explicitly deny what shouldn't be public:
location /api/internal {
deny all;
return 403;
}
location / {
proxy_pass http://app:3000;
}4. Missing WebSocket Upgrade Headers
Nginx doesn't handle WebSocket upgrades by default. Applications that rely on WebSockets (real-time dashboards, chat, live logs) will mysteriously fail — often with cryptic error messages in the browser console.
The fix:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";5. Large File Uploads Timing Out or Being Rejected
Nginx has a default client_max_body_size of 1MB. Any upload larger than this gets a silent 413 error. Worse, even when you increase the limit, the default timeouts may cut off slow uploads midway.
The fix:
client_max_body_size 100M;
client_body_timeout 300s;How InfraPilot Helps
InfraPilot's visual Nginx manager validates your configuration before applying it and highlights common mistakes like missing proxy headers and mismatched SSL settings. The security scanner also flags open internal routes and missing headers — catching these issues before they reach production.
Related posts
The Best Self-Hosted Docker Dashboards in 2026 (Honestly Compared)
Portainer, Dockge, Yacht, Lazydocker, InfraPilot — there are more Docker management UIs than ever. Here's an honest breakdown of which one fits which use case, from CLI-lovers to teams that want a full web dashboard.
Nginx Proxy Manager vs InfraPilot: Is There a Better Alternative?
Nginx Proxy Manager is the most popular Docker reverse proxy GUI — but it only manages proxies and SSL. If you're already running Docker containers, there's a case for combining your proxy management with your container dashboard.
Portainer vs InfraPilot: The Honest Docker Management Comparison (2026)
Portainer is great — but it doesn't manage Nginx, SSL, or give you traffic analytics. Here's an honest comparison of when to use Portainer, when to use InfraPilot, and what actually matters for single-server Docker setups.