Set Globals are temporary .. next time db server restarted/rebooted ... those are lost.
Ok to test with on a temp basis I guess.
How are these boxen networked? Reason asked ... Rackspace assigns 2 ip addresses to leased dedicated servers. A public - which is mapped in DNS to access apache. And a 10. IP ... not in DNS and used by support folks from RS. No rules that say you can't use the 10 dots. I had 5 RS servers Webmins linked via 10 dots.
Could do and have done same with DB server ... one client had courses offered to clients in China ... that box always had pokes and probes. For a test, set the DB server to a 10. on another RS server ... DB server there listened on 10. IP. No proxy ... no any special added in front of and possibly messing with security for DB.
What's purpose of Nginx Proxy ... basically to hide DB server.
You could do that in other ways!
As far as secure ... hmmmm .... newer versions of MySQL/MariaDB on could run under TLS ... all traffic encrypted.
No other host need access the DB server ... so in host table of the DB server allow only the public IP of the code server. Also on DB server restrict ssh access to a single IP (other than localhost) .... to that of the code server.
One way to find out of Nginx proxy is the problem .... turn it off!