Checklist: Reverse Proxy Change Before Production

Use this before merging or deploying proxy config.

Config validation

• Run syntax check (nginx -t) on the exact config set to be deployed.
• Confirm upstream targets resolve on the host that runs nginx.
• Verify timeouts are explicit and not inherited by accident.
• Verify X-Forwarded-* headers are set consistently.

TLS and certificates

• Confirm certificate covers all served hostnames.
• Confirm full chain is present and ordered correctly.
• Confirm redirect behavior (http -> https) is intentional.
• Confirm HSTS settings match current rollout plan.

Routing behavior

• Validate each location block with a real request, not only static checks.
• Test one success path and one expected failure path (404/401/etc.).
• Confirm no catch-all route is shadowing a specific location.

Operational checks

• Record rollback command and previous config reference.
• Capture baseline latency/error metrics before reload.
• Reload and validate active connections stay healthy.
• Write one line in the runbook with what changed and why.