You are right. I didn't know what canonical url:s where, but now I know. Yes there is in fact two servers. One server is running Apache with a website that has maybe 10 different DNS-domains pointing to it and then there is another server running IIS with lots of websites but usually only one DNS-domain pointing to each of them. The IIS server has a control panel software that enables customers to add both websites and DNS-records, so I don't want to change the configuration in my nginx proxy every time someone adds or changes something on that server, so there needs to be a bit of compromising.
I have very limited knowledge about how to configure and protect webservers and the reason all this is happening now, is that the IIS server has been hacked due to an old wordpress vulnerability in a plugin called revslider, so I have had to do things in a bit of a hurry. When I installed nginx i didn't know that it was revslider, so nginx didn't fix the problem, so the server got hacked once again. I have now installed modsecurity, which seems to have stopped the problem.
I am seriously considering using nginx plus, but it's not entirely my decision and my colleagues are already upset over all cost surrounding the web-servers at the moment.