nodejs app accessible on port 3000 behind nginx reverse proxy

If you can reach the port 3000 from the outside of the computer this means that you program your Node.js application in a way that the HTTP server is listening on all interfaces. This is not bad per se and by default you should program your applications in this way, because you can't anticipate future changes of the final deployment topology. Leave the responsibility of hiding the port from outside world to the firewall (iptables comes to mind here) as suggested by Oxi.

This way you don't need to change your code on the future to adapt it to a different deployment topology.

I for example has a similar case. I use Haproxy as load balancer and for SSL termination. But in my case Haproxy instance run on a different host for performance considerations. If in the development stage i have restricted my application to listen just for local connections then i will have to update my code once on development just to adapt to the new topology.

I hope this helps you.