Nginx
Production-ready Nginx configuration blocks for reverse proxy, SSL, rate limiting, security hardening, and performance tuning.
nginx -t to test your configuration before applying changes with systemctl reload nginx.Basic Reverse Proxy
Forward incoming HTTP requests to a backend application (e.g., Node.js, Gunicorn, or any process listening on a local port). The proxy_set_header lines pass the original client info.
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}Force HTTPS Redirect
Redirect all HTTP traffic to HTTPS. Place this as a separate server block alongside your SSL block.
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}SSL/TLS with Let's Encrypt
HTTPS server block using Certbot-issued certificates. Uses modern TLSv1.2/1.3 and strong cipher suites.
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
location / {
proxy_pass http://127.0.0.1:3000;
}
}Rate Limiting
Limit requests to 10 per second per IP address. Excess requests return 429. Define the zone in the http{} block, then use it inside server{} or location{}.
# In http {} block (nginx.conf or conf.d/):
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
# In server {} or location {} block:
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:3000;
}Security Headers
Add security-related HTTP response headers to protect against XSS, clickjacking, MIME sniffing, and information leakage.
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; server_tokens off;
Gzip Compression
Enable gzip compression to reduce response sizes. Place in the http{} block to apply globally. Typically reduces HTML/CSS/JS by 60-80%.
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
image/svg+xml;Block IP / Deny Access
Block specific IP addresses or CIDR ranges from accessing your server. Place the deny rules before allow, and end with 'deny all' to whitelist-only mode.
# In server {} or location {} block:
deny 192.168.1.100;
deny 10.0.0.0/8;
allow all;
# Or to whitelist-only (block everyone else):
allow 203.0.113.0/24;
deny all;Nginx Quick CLI Reference
Common Nginx CLI commands for testing configs, reloading without downtime, and checking which config file is being used.
# Test configuration syntax nginx -t # Reload without downtime (graceful) systemctl reload nginx # Full restart systemctl restart nginx # Show which nginx binary and config is active nginx -V 2>&1 | head -1 nginx -t 2>&1 | grep "configuration file" # Tail error log live tail -f /var/log/nginx/error.log