Nginx

Scriptkiddis, webshell and the like. How to protect yourself with reverse proxy (nginx, etc)?

It so happened that I had to understand a little about this topic.
I understand that various kinds of cms, such as joomla, wp and even 1c bitrix, are quite full of holes, especially when nginx, php, apache are configured incorrectly.
Even more worrying are 0day vulnerabilities, that is, vulnerabilities for which there is no "patch". More worrying is that this vulnerability could have been exploited for a long time before.
Simply, not so long ago I found an obfuscated php script, after a long and tedious deobfuscation, it turned out that this is a fairly advanced web shell classified by drweb as PHP.Shell.101
By the way, whoever decides to repeat my path, execution is possible not only through eval, but also through preg_replace /e, i.e., print|echo preg_replace /e will cause the code to be executed.
I understand that xss and mysql injections could be used.
In general, a question. Bydolkod is bad, but is it possible to at least partially protect against this using nginx, haproxy, naxi?