Simplest way to do this is by setting the the config option of mattermost to:
"ListenAddress": "localhost:8065",
This way you don't need to add any extra rules for mattermost anywhere since only locally you can access it, other than with the nginx proxy passing data to it.
No, it will not break anything, that is the exact purpose of proxying it with nginx.
In addition to the above you will have to ensure that your nginx conf file is using localhost or 127.0.0.1 on the settings, like:
upstream backend {
server 127.0.0.1:8065;
}if you followed mattermost nginx guide.