It is classical scheme of serving Rails application: frontend is Apache (nginx, etc) on 80 port, and backend : cluster of mongrel (thin, unicorn, etc) on some other ports (for example 3000,3001,3002...).
How make, that back-end servers allow only local (from frontend) connections?
If you use the connection by socket, you are sur to be only in local.
After you can say to some server to accept only 127.0.0.0 request. Byt example with thin
thin start -a 127.0.0.0
The -a options is :
-a, --address HOST bind to HOST address (default: 0.0.0.0)
A good practice too is to add some Firewall to avoid all connection by anywhere to your proxy port.