Nginx Configuration

Overview

Master Nginx configuration for production-grade web servers, reverse proxies, load balancing, SSL termination, caching, and API gateway patterns with advanced performance tuning.

When to Use

• Reverse proxy setup

• Load balancing between backend services

• SSL/TLS termination

• HTTP/2 and gRPC support

• Caching and compression

• Rate limiting and DDoS protection

• URL rewriting and routing

• API gateway functionality

Implementation Examples

1. Production Nginx Configuration

/etc/nginx/nginx.conf

user nginx; worker_processes auto; worker_rlimit_nofile 65535; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid;

events { worker_connections 4096; use epoll; multi_accept on; }

http { include /etc/nginx/mime.types; default_type application/octet-stream;

# Logging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for"';

log_format upstream_time '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" '
                        'rt=$request_time uct="$upstream_connect_time" '
                        'uht="$upstream_header_time" urt="$upstream_response_time"';

access_log /var/log/nginx/access.log upstream_time buffer=32k flush=5s;

# Performance optimizations
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 20M;

# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
           application/json application/javascript application/xml+rss
           application/rss+xml application/atom+xml image/svg+xml;
gzip_disable "msie6";

# Rate limiting
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
limit_conn_zone $binary_remote_addr zone=connections:10m;

# Upstream servers
upstream backend {
    least_conn;
    server backend1.internal:8080 weight=5 max_fails=3 fail_timeout=30s;
    server backend2.internal:8080 weight=5 max_fails=3 fail_timeout=30s;
    server backend3.internal:8080 weight=3 max_fails=3 fail_timeout=30s;
    keepalive 32;
}

upstream api_backend {
    least_conn;
    server api1.internal:3000;
    server api2.internal:3000;
    server api3.internal:3000;
    keepalive 64;
}

# Caching
proxy_cache_path /var/cache/nginx/general levels=1:2 keys_zone=general_cache:10m max_size=1g inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/api levels=1:2 keys_zone=api_cache:10m max_size=500m inactive=30m use_temp_path=off;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

2. HTTPS Server with Load Balancing

/etc/nginx/sites-available/myapp

server { listen 80; server_name myapp.com www.myapp.com; return 301 https://$server_name$request_uri; }

server { listen 443 ssl http2; server_name myapp.com www.myapp.com;

# SSL Configuration
ssl_certificate /etc/ssl/certs/myapp.com.crt;
ssl_certificate_key /etc/ssl/private/myapp.com.key;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;

# SSL Security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Root and logging
root /var/www/myapp;
access_log /var/log/nginx/myapp.access.log upstream_time;
error_log /var/log/nginx/myapp.error.log warn;

# Rate limiting
limit_req zone=general burst=20 nodelay;
limit_conn connections 10;

# Proxy settings
location / {
    limit_req zone=general burst=20 nodelay;

    proxy_pass http://backend;
    proxy_http_version 1.1;

    # Headers
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Connection "";

    # Timeouts
    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;

    # Caching
    proxy_cache general_cache;
    proxy_cache_valid 200 60m;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cache-Status $upstream_cache_status;
}

# API endpoint with different caching
location /api/ {
    limit_req zone=api burst=10 nodelay;

    proxy_pass http://api_backend;
    proxy_http_version 1.1;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Cache only GET requests
    proxy_cache api_cache;
    proxy_cache_methods GET HEAD;
    proxy_cache_valid 200 30m;
    proxy_cache_key "$scheme$request_method$host$request_uri";

    # Don't cache if authenticated
    proxy_no_cache $http_authorization;
}

# Static files with long caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
    expires 365d;
    add_header Cache-Control "public, immutable";
    access_log off;
}

# Health check endpoint
location /health {
    access_log off;
    return 200 "healthy\n";
    add_header Content-Type text/plain;
}

# Metrics endpoint
location /metrics {
    deny all;
}

}

3. Nginx Configuration Script

#!/bin/bash

nginx-deploy.sh - Deploy and validate Nginx configuration

set -euo pipefail

echo "Deploying Nginx configuration..."

Test configuration

echo "Testing Nginx configuration..." nginx -t

Check if running

if pgrep -x nginx > /dev/null; then echo "Reloading Nginx..." systemctl reload nginx else echo "Starting Nginx..." systemctl start nginx fi

Verify

echo "Verifying deployment..." sleep 2

Check service status

if systemctl is-active --quiet nginx; then echo "Nginx is running" else echo "ERROR: Nginx failed to start" systemctl status nginx exit 1 fi

Test connectivity

echo "Testing endpoints..." curl -k https://localhost/health || echo "Warning: Health check failed"

Log status

echo "Nginx configuration deployed successfully" journalctl -u nginx -n 20 --no-pager

4. Nginx Monitoring Configuration

/etc/nginx/conf.d/monitoring.conf

server { listen 127.0.0.1:8080; server_name localhost;

# Stub status for monitoring
location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}

# Prometheus metrics
location /metrics {
    access_log off;
    proxy_pass http://127.0.0.1:8081/metrics;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}

}

Best Practices

✅ DO

• Use HTTP/2 for performance

• Enable SSL/TLS with strong ciphers

• Implement proper caching strategies

• Use upstream connection pooling

• Monitor with stub_status or prometheus

• Rate limit to prevent abuse

• Add security headers

• Use least_conn load balancing

• Keep error logs separate from access logs

❌ DON'T

• Disable gzip compression

• Use weak SSL ciphers

• Cache authenticated responses

• Allow direct access to backends

• Ignore upstream health checks

• Mix HTTP and HTTPS without redirect

• Use default error pages in production

• Cache sensitive user data

Common Commands

nginx -t # Test configuration systemctl reload nginx # Reload without drop systemctl restart nginx # Full restart tail -f /var/log/nginx/access.log # Monitor access curl localhost:8080/nginx_status # Check status

Resources

• Nginx Official Documentation

• Nginx HTTP Performance Tuning

• Nginx SSL Configuration

• Mozilla SSL Configuration Generator