Configuring an NGINX Reverse Proxy for Wazuh Load Balancer improves the scalability, availability, and security of your Wazuh deployment by efficiently distributing traffic across multiple Wazuh nodes. By placing NGINX in front of the Wazuh manager and dashboard, organizations can ensure high availability, optimize request handling, and provide a secure access layer for agents and users.
If you’re deploying Wazuh in a production, security-focused environment, it’s common to place it behind:
- A public load balancer (HTTPS termination)
- An internal NGINX reverse proxy
- A Wazuh Dashboard running with HTTPS enabled
In this design:
- The load balancer handles public HTTPS
- NGINX forwards traffic using HTTPS upstream with certificate verification
- Wazuh Dashboard is accessed securely end-to-end
This guide explains how to configure NGINX to proxy HTTPS upstream to the Wazuh Dashboard on:
https://127.0.0.1:5601The connection flow is:
- Client → LB (HTTPS)
- LB → NGINX (HTTP)
- NGINX → Wazuh Dashboard (HTTPS) ← verified
This ensures end-to-end encryption, even inside private networks.
Prerequisites
- Wazuh Dashboard configured with HTTPS
- A valid certificate and CA for Wazuh Dashboard
- NGINX installed
Load balancer forwarding HTTP → NGINX
Change wazuh dashboard default port
In /etc/wazuh-dashboard/opensearch_dashboards.yml file and change the default dashboard port from 443 to 5601
systemctl restart wazuh-dashboardUse the following verified HTTPS upstream config:
server {
listen 80;
server_name website.com;
location / {
# Upstream is HTTPS because Wazuh dashboard has HTTPS enabled
proxy_pass https://127.0.0.1:5601/;
proxy_http_version 1.1;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Forward important request headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 300s;
send_timeout 90s;
}
}Explanation of The Important HTTPS Settings
proxy_pass https://127.0.0.1:5601Tells NGINX the upstream uses HTTPS.
proxy_set_header X-Forwarded-Proto httpsEnsures Wazuh sees the external connection as HTTPS.
Restart NGINX
nginx -t
systemctl reload nginxConclusion
You now have a production-ready setup where:
- The load balancer handles public HTTPS
- NGINX proxies requests locally
- Wazuh Dashboard runs under verified HTTPS
- Upstream SSL certificates are correctly validated
- WebSockets and real-time features work normally
This is the most secure architecture for enterprise Wazuh deployments.
Need help configuring an NGINX Reverse Proxy for Wazuh Load Balancer? Our High Availability Clustering Service ensures secure, scalable, and fault-tolerant Wazuh deployments. Contact us today for expert support and reliable infrastructure solutions.
