Don't allow any HTTP requests to be passed to your actual backend app, handle them only on the proxy.
For example:
You set up NGINX on ports 80 and 443 and open these ports (TCP for 80 and TCP/UDP for 443) to the internet, and close all other ports. Your backend runs on port 3000, and you configure NGINX to proxy pass coolstore.com/api to said port 3000.
All client-traffic HTTPS is handled on the NGINX proxy (it can also serve your static files very well). Any HTTP requests are sent response status 301 with HTTPS version of request URL.
For example:
You set up NGINX on ports 80 and 443 and open these ports (TCP for 80 and TCP/UDP for 443) to the internet, and close all other ports. Your backend runs on port 3000, and you configure NGINX to proxy pass coolstore.com/api to said port 3000.
All client-traffic HTTPS is handled on the NGINX proxy (it can also serve your static files very well). Any HTTP requests are sent response status 301 with HTTPS version of request URL.