Configuring nginx

Purpose

Guide engineers through configuring nginx for common web infrastructure needs: static file serving, reverse proxying backend applications, load balancing across multiple servers, SSL/TLS termination, caching, and performance optimization. Provides production-ready configurations with security best practices.

When to Use This Skill

Use when working with:

• Setting up web server for static sites or single-page applications
• Configuring reverse proxy for Node.js, Python, Ruby, or Go applications
• Implementing load balancing across multiple backend servers
• Terminating SSL/TLS for HTTPS traffic
• Adding caching layer for performance improvement
• Building API gateway functionality
• Protecting against DDoS with rate limiting
• Proxying WebSocket connections

Trigger phrases: "configure nginx", "nginx reverse proxy", "nginx load balancer", "enable SSL in nginx", "nginx performance tuning", "nginx caching", "nginx rate limiting"

Installation

Ubuntu/Debian:

sudo apt update && sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

RHEL/CentOS/Rocky:

sudo dnf install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

Docker:

docker run -d -p 80:80 -v /path/to/config:/etc/nginx/conf.d nginx:alpine

Quick Start Examples

Static Website

Serve HTML/CSS/JS files from a directory:

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

Enable site:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

See

references/static-sites.md

for SPA configurations and advanced patterns.

Reverse Proxy

Proxy requests to a backend application server:

upstream app_backend {
    server 127.0.0.1:3000;
    keepalive 32;
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://app_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

See

references/reverse-proxy.md

for WebSocket proxying and API gateway patterns.

SSL/TLS Configuration

Enable HTTPS with modern TLS configuration:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

See

references/ssl-tls-config.md

for complete TLS configuration and certificate setup.

Core Concepts

Configuration Structure

nginx uses hierarchical configuration contexts:

nginx.conf (global settings)
├── events { } (connection processing)
└── http { } (HTTP-level settings)
    └── server { } (virtual host)
        └── location { } (URL routing)

File locations:

• /etc/nginx/nginx.conf

  - Main configuration

• /etc/nginx/sites-available/

  - Available site configs

• /etc/nginx/sites-enabled/

  - Enabled sites (symlinks)

• /etc/nginx/conf.d/*.conf

  - Additional configs

• /etc/nginx/snippets/

  - Reusable config snippets

See

references/configuration-structure.md

for detailed anatomy.

Location Matching Priority

nginx evaluates location blocks in this order:

1. location = /exact

   - Exact match (highest priority)

2. location ^~ /prefix

   - Prefix match, stop searching

3. location ~ \.php$

   - Regex, case-sensitive

4. location ~* \.(jpg|png)$

   - Regex, case-insensitive

5. location /

   - Prefix match (lowest priority)

Example:

location = /api/status {
    return 200 "OK\n";
}

location ^~ /static/ {
    root /var/www;
}

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php-fpm.sock;
}

location / {
    proxy_pass http://backend;
}

Essential Proxy Headers

When proxying to backends, preserve client information:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Create reusable snippet at

/etc/nginx/snippets/proxy-params.conf

and include with:

include snippets/proxy-params.conf;

Common Patterns

Load Balancing

Distribute traffic across multiple backend servers:

Round Robin (default):

upstream backend {
    server backend1.example.com:8080;
    server backend2.example.com:8080;
    server backend3.example.com:8080;
    keepalive 32;
}

server {
    listen 80;
    location / {
        proxy_pass http://backend;
        include snippets/proxy-params.conf;
    }
}

Least Connections:

upstream backend {
    least_conn;
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

IP Hash (sticky sessions):

upstream backend {
    ip_hash;
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

Health Checks:

upstream backend {
    server backend1.example.com:8080 max_fails=3 fail_timeout=30s;
    server backend2.example.com:8080 max_fails=3 fail_timeout=30s;
    server backup.example.com:8080 backup;
}

See

references/load-balancing.md

for weighted load balancing and advanced patterns.

WebSocket Proxying

Enable WebSocket connections by upgrading HTTP protocol:

upstream websocket_backend {
    server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name ws.example.com;

    location / {
        proxy_pass http://websocket_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        # Long timeouts for persistent connections
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }
}

Rate Limiting

Protect against abuse and DDoS attacks:

# In http context
http {
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
}

# In server context
server {
    listen 80;

    limit_req zone=api_limit burst=10 nodelay;
    limit_conn conn_limit 10;

    location /api/ {
        proxy_pass http://backend;
    }
}

See

references/security-hardening.md

for complete security configuration.

Performance Optimization

Worker Configuration:

# In main context
user www-data;
worker_processes auto;  # 1 per CPU core
worker_rlimit_nofile 65535;

events {
    worker_connections 4096;
    use epoll;
    multi_accept on;
}

Gzip Compression:

# In http context
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;

Proxy Caching:

# Define cache zone
proxy_cache_path /var/cache/nginx/proxy
                 levels=1:2
                 keys_zone=app_cache:100m
                 max_size=1g
                 inactive=60m;

# Use in location
location / {
    proxy_cache app_cache;
    proxy_cache_valid 200 60m;
    proxy_cache_use_stale error timeout updating;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_pass http://backend;
}

See

references/performance-tuning.md

for detailed optimization strategies.

Security Headers

Add essential security headers to protect against common vulnerabilities:

# Create /etc/nginx/snippets/security-headers.conf
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Include in server blocks:

server {
    include snippets/security-headers.conf;
    # ... rest of config
}

Access Control

Restrict access by IP address:

server {
    listen 80;
    server_name admin.example.com;

    # Allow specific IPs
    allow 10.0.0.0/8;
    allow 203.0.113.0/24;

    # Deny all others
    deny all;

    location / {
        proxy_pass http://admin_backend;
    }
}

Decision Framework

Choose nginx for: Performance-critical workloads (10K+ connections), reverse proxy, load balancing, static file serving, modern application stacks.

Choose alternatives for: Apache (

.htaccess

, mod_php, legacy apps), Caddy (auto-HTTPS, simpler config), Traefik (dynamic containers), Envoy (service mesh).

Safety Checklist

Before deploying nginx configurations:

• Test configuration syntax:

  sudo nginx -t

• Use reload, not restart:

  sudo systemctl reload nginx

  (zero downtime)
• Check error logs:

  sudo tail -f /var/log/nginx/error.log

• Verify SSL/TLS:

  openssl s_client -connect domain:443 -servername domain

• Test externally:

  curl -I https://domain.com

• Monitor worker processes:

  ps aux | grep nginx

• Check open connections:

  netstat -an | grep :80 | wc -l

• Verify backend health:

  curl -I http://localhost:8080

Troubleshooting

Quick fixes: Test config (

sudo nginx -t

), check logs (

/var/log/nginx/error.log

), verify backend (

curl http://127.0.0.1:3000

).

Common errors: 502 (backend down), 504 (timeout - increase

proxy_read_timeout

), 413 (upload size - set

client_max_body_size

).

See

references/troubleshooting.md

for complete debugging guide.

Integration Points

Related Skills:

• implementing-tls - Certificate generation and automation (Let's Encrypt, cert-manager)
• load-balancing-patterns - Advanced load balancing architecture and decision frameworks
• deploying-applications - Application deployment strategies with nginx integration
• security-hardening - Complete server security beyond nginx-specific configuration
• configuring-firewalls - Firewall rules for HTTP/HTTPS access
• dns-management - DNS configuration for nginx virtual hosts
• kubernetes-operations - nginx Ingress Controller for Kubernetes

Additional Resources

Progressive Disclosure:

• references/installation-guide.md

  - Detailed installation for all platforms

• references/configuration-structure.md

  - Complete nginx.conf anatomy

• references/static-sites.md

  - Static hosting patterns (basic, SPA, PHP)

• references/reverse-proxy.md

  - Advanced proxy scenarios and API gateway patterns

• references/load-balancing.md

  - All algorithms, health checks, sticky sessions

• references/ssl-tls-config.md

  - Complete TLS configuration and certificate setup

• references/performance-tuning.md

  - Workers, caching, compression, buffers

• references/security-hardening.md

  - Rate limiting, headers, access control

• references/troubleshooting.md

  - Common errors and debugging techniques

Working Examples:

• examples/static-site/

  - Static website and SPA configurations

• examples/reverse-proxy/

  - Node.js, WebSocket, API gateway examples

• examples/load-balancing/

  - All load balancing algorithms

• examples/ssl-tls/

  - Modern TLS and mTLS configurations

• examples/performance/

  - High-traffic optimization and caching

• examples/security/

  - Rate limiting and security hardening

Reusable Snippets:

• snippets/ssl-modern.conf

  - Modern TLS configuration

• snippets/proxy-params.conf

  - Standard proxy headers

• snippets/security-headers.conf

  - OWASP security headers

• snippets/cache-static.conf

  - Static asset caching