How can I keep network routing internal?

I have a web server behind Nginx reverse proxy. When I access the server with a client from the same internal network via its secure URL, how can I ensure the traffic routing stays within the internal network. It makes no sense in my view for traffic to go outside, travel through public internet and and come back into the internal network.

There is a lot of information missing from your post.

I assume you mean that your webserver is accessed from the internet via a NATted address and the DNS records point to that public address. And you want to use the same DNS name when accessing the service from inside your LAN. Further, any discussion of this becomes a lot more complicated if your LAN has more than one IP subnet - so I'll assume that is not the case.

The additional complexity of the nginx reverse proxy is irrelevant to how you access the service from a browser. You simply want to connect to the service using the DNS name which points (albeit indrectly) at the proxy rather than the origin server.

Connections from inside your LAN will not go out onto the internet (unless there is something very wrong with your router). What should happen is that the request will go to the router and be sent back into the LAN. However it is conceivable that the router may have explicit ACLs configured and be lacking one to allow connection from your subnet to the pubnet addresses - in which case you simply won't be able to connect until you fix the omission. But that is a very unusual edge case.

Going via the router does mean that there is an extra network hop, adding maybe a millisecond of latency to network traffic. You're really not going to notice this. It does however mean that access to the service is dependent on the router functioning correctly, and the stats collection on the router may be impacted.

As others have said, it is common to use split DNS in such a scenario. You simply ensure that all clients on your LAN point to a DNS server which claims to be authoritative for the domain of your service.

A simpler, but less scalable solution is to just add an entry in hosts file of the clients to override the default DNS data.

Some more complex routers provide the facility to intercept and rewrite DNS packets entering the network to replace NATted addresses (Cisco call this technology DNS doctoring). But if this applies to your environmet, then you already have a team of network engineers on-site who will know how to provision this.

In the absence of any reason to do anything different, I suggest going with the first option and just bouncing the traffic off the router.

When I access the server with a client from the same internal network via its secure URL, how can I ensure the traffic routing stays within the internal network.

Simply use the server's private IP address for access and don't route that address through anything you don't want.

If you use the reverse proxy's public name to access the server you need to implement split-horizon/split-brain DNS on your DNS server for the private LAN. For queries from your private network, resolve the name to the web server's private IP address. For queries from the open Internet resolve as before.