Had to Google since it's been almost 20 years since I used nginx directly:

https://serverfault.com/questions/1033131/filter-to-only-pas...

Set proxy_pass_request_headers off, and then explicitly proxy_set_header each individual header you want to forward to the variable representing it in nginx config.

Or just use CloudFlare Tunnel, which gives you a bunch of other DDoS and abuse protection and keeps your app server off the public Internet.