How to Configure NGINX as a Reverse Proxy for Wazuh Behind a Load Balancer

Configuring an NGINX Reverse Proxy for Wazuh Load Balancer improves the scalability, availability, and security of your Wazuh deployment by efficiently distributing traffic across multiple Wazuh nodes. By placing NGINX in front of the Wazuh manager and dashboard, organizations can ensure high availability, optimize request handling, and provide a secure access layer for agents and users.

If you’re deploying Wazuh in a production, security-focused environment, it’s common to place it behind:

• A public load balancer (HTTPS termination)
• An internal NGINX reverse proxy
• A Wazuh Dashboard running with HTTPS enabled

In this design:

• The load balancer handles public HTTPS
• NGINX forwards traffic using HTTPS upstream with certificate verification
• Wazuh Dashboard is accessed securely end-to-end

This guide explains how to configure NGINX to proxy HTTPS upstream to the Wazuh Dashboard on:

https://127.0.0.1:5601

The connection flow is:

1. Client → LB (HTTPS)
2. LB → NGINX (HTTP)
3. NGINX → Wazuh Dashboard (HTTPS) ← verified

This ensures end-to-end encryption, even inside private networks.

Prerequisites

• Wazuh Dashboard configured with HTTPS
• A valid certificate and CA for Wazuh Dashboard
• NGINX installed

Load balancer forwarding HTTP → NGINX

Change wazuh dashboard default port

In /etc/wazuh-dashboard/opensearch_dashboards.yml file and change the default dashboard port from 443 to 5601

systemctl restart wazuh-dashboard

Use the following verified HTTPS upstream config:

server {
    listen 80;
    server_name website.com;

    location / {
        # Upstream is HTTPS because Wazuh dashboard has HTTPS enabled
        proxy_pass https://127.0.0.1:5601/;

        proxy_http_version 1.1;

        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Forward important request headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_buffering off;

        proxy_connect_timeout 90s;
        proxy_send_timeout 90s;
        proxy_read_timeout 300s;
        send_timeout 90s;
    }
}

Explanation of The Important HTTPS Settings

proxy_pass https://127.0.0.1:5601

Tells NGINX the upstream uses HTTPS.

proxy_set_header X-Forwarded-Proto https

Ensures Wazuh sees the external connection as HTTPS.

Restart NGINX

nginx -t
systemctl reload nginx

Conclusion

You now have a production-ready setup where:

• The load balancer handles public HTTPS
• NGINX proxies requests locally
• Wazuh Dashboard runs under verified HTTPS
• Upstream SSL certificates are correctly validated
• WebSockets and real-time features work normally

This is the most secure architecture for enterprise Wazuh deployments.

Need help configuring an NGINX Reverse Proxy for Wazuh Load Balancer? Our High Availability Clustering Service ensures secure, scalable, and fault-tolerant Wazuh deployments. Contact us today for expert support and reliable infrastructure solutions.