blob: c48c42277eb13ff957c30875be8f455fbf8e2112 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
---
title: "nginx"
lastmod: "2025-08-28"
res:
- Home: https://nginx.org/en/index.html
- Wikipedia: https://en.wikipedia.org/wiki/Nginx
---
nginx is a powerful and flexible web server that can also be used as a reverse proxy. This page covers common configuration steps and tips for serving a working website.
<!--more-->
## Configuration
All configuration happens in the `/etc/nginx` directory. Global configuration is in `nginx.conf`, but other files may be included with the `include` directive. A common use case for this is having every site in a separate file to be included.
### Global server setup
Below is an example of a functional global configuration to be put in `nginx.conf`.
```nginx
user nginx nginx;
worker_processes auto;
worker_rlimit_nofile 4096;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
server_tokens off;
sendfile on;
sendfile_max_chunk 1M;
tcp_nopush on;
gzip off;
include http.d/*.conf;
}
```
Options such as gzip support may be enabled, but are not required for a functional server. The `include` statement makes it easier to add new sites to the server, simply by creating a new file in the `http.d` directory.
### Simple static site
Below is a server that simply serves static files from a root directory.
```nginx
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name host.tld;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
root /var/www/host.tld/htdocs;
access_log /var/log/nginx/host.tld.access.log main;
error_log /var/log/nginx/host.tld.error.log info;
}
```
### Reverse proxying
When running a (public) web service, it would be wise to proxy the traffic to an internal server - primarily for load balancing, but it can also be an extra layer of security.
nginx can proxy servers listening on both TCP and UNIX sockets. The example below shows a working site configuration for proxying a [Miniflux](https://miniflux.app/) server listening on a UNIX socket.
```nginx
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name host.tld;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
location / {
proxy_pass http://unix:/run/miniflux/miniflux.sock;
include conf.d/proxy.conf;
}
access_log /var/log/nginx/host.tld.access.log main;
error_log /var/log/nginx/host.tld.error.log info;
}
```
Ensure you have the following in `conf.d/proxy.conf` to be able to share common proxy options between all of your sites:
```nginx
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_request_buffering off;
proxy_redirect off;
```
Some applications may require options to be tweaked, however this covers many bases.
### Tip: Redirecting HTTP to HTTPS automatically
In the modern age, browsing the web with TLS is the standard, and certificates are both free and ubiquitous. That being said, it is encouraged to only serve your web content over HTTPS. You can automatically redirect a site listening on HTTP to HTTPS with the following `server` block:
```nginx
server {
listen 80;
listen [::]:80;
server_name host.tld;
return 301 https://$host$request_uri;
}
```
### Tip: Compressing with gzip
You can increase the performance of your web server by compressing the data sent with gzip. Below is a configuration that covers a wide variety of uses; this goes in your global `http` block inside `nginx.conf`:
```nginx
http {
# ...
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
# ...
}
```
Do note `text/html` is automatically compressed, so there is no need to add it to `gzip_types`.
## External resources
* [https://wiki.gentoo.org/wiki/Nginx](https://wiki.gentoo.org/wiki/Nginx)
|
