Get the FREE Ultimate OpenClaw Setup Guide →

configuring-nginx

Scanned
npx machina-cli add skill ancoleman/ai-design-components/configuring-nginx --openclaw
Files (1)
SKILL.md
12.6 KB

Configuring nginx

Purpose

Guide engineers through configuring nginx for common web infrastructure needs: static file serving, reverse proxying backend applications, load balancing across multiple servers, SSL/TLS termination, caching, and performance optimization. Provides production-ready configurations with security best practices.

When to Use This Skill

Use when working with:

  • Setting up web server for static sites or single-page applications
  • Configuring reverse proxy for Node.js, Python, Ruby, or Go applications
  • Implementing load balancing across multiple backend servers
  • Terminating SSL/TLS for HTTPS traffic
  • Adding caching layer for performance improvement
  • Building API gateway functionality
  • Protecting against DDoS with rate limiting
  • Proxying WebSocket connections

Trigger phrases: "configure nginx", "nginx reverse proxy", "nginx load balancer", "enable SSL in nginx", "nginx performance tuning", "nginx caching", "nginx rate limiting"

Installation

Ubuntu/Debian:

sudo apt update && sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

RHEL/CentOS/Rocky:

sudo dnf install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

Docker:

docker run -d -p 80:80 -v /path/to/config:/etc/nginx/conf.d nginx:alpine

Quick Start Examples

Static Website

Serve HTML/CSS/JS files from a directory:

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

Enable site:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

See references/static-sites.md for SPA configurations and advanced patterns.

Reverse Proxy

Proxy requests to a backend application server:

upstream app_backend {
    server 127.0.0.1:3000;
    keepalive 32;
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://app_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

See references/reverse-proxy.md for WebSocket proxying and API gateway patterns.

SSL/TLS Configuration

Enable HTTPS with modern TLS configuration:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

See references/ssl-tls-config.md for complete TLS configuration and certificate setup.

Core Concepts

Configuration Structure

nginx uses hierarchical configuration contexts:

nginx.conf (global settings)
├── events { } (connection processing)
└── http { } (HTTP-level settings)
    └── server { } (virtual host)
        └── location { } (URL routing)

File locations:

  • /etc/nginx/nginx.conf - Main configuration
  • /etc/nginx/sites-available/ - Available site configs
  • /etc/nginx/sites-enabled/ - Enabled sites (symlinks)
  • /etc/nginx/conf.d/*.conf - Additional configs
  • /etc/nginx/snippets/ - Reusable config snippets

See references/configuration-structure.md for detailed anatomy.

Location Matching Priority

nginx evaluates location blocks in this order:

  1. location = /exact - Exact match (highest priority)
  2. location ^~ /prefix - Prefix match, stop searching
  3. location ~ \.php$ - Regex, case-sensitive
  4. location ~* \.(jpg|png)$ - Regex, case-insensitive
  5. location / - Prefix match (lowest priority)

Example:

location = /api/status {
    return 200 "OK\n";
}

location ^~ /static/ {
    root /var/www;
}

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php-fpm.sock;
}

location / {
    proxy_pass http://backend;
}

Essential Proxy Headers

When proxying to backends, preserve client information:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Create reusable snippet at /etc/nginx/snippets/proxy-params.conf and include with:

include snippets/proxy-params.conf;

Common Patterns

Load Balancing

Distribute traffic across multiple backend servers:

Round Robin (default):

upstream backend {
    server backend1.example.com:8080;
    server backend2.example.com:8080;
    server backend3.example.com:8080;
    keepalive 32;
}

server {
    listen 80;
    location / {
        proxy_pass http://backend;
        include snippets/proxy-params.conf;
    }
}

Least Connections:

upstream backend {
    least_conn;
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

IP Hash (sticky sessions):

upstream backend {
    ip_hash;
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

Health Checks:

upstream backend {
    server backend1.example.com:8080 max_fails=3 fail_timeout=30s;
    server backend2.example.com:8080 max_fails=3 fail_timeout=30s;
    server backup.example.com:8080 backup;
}

See references/load-balancing.md for weighted load balancing and advanced patterns.

WebSocket Proxying

Enable WebSocket connections by upgrading HTTP protocol:

upstream websocket_backend {
    server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name ws.example.com;

    location / {
        proxy_pass http://websocket_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        # Long timeouts for persistent connections
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }
}

Rate Limiting

Protect against abuse and DDoS attacks:

# In http context
http {
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
}

# In server context
server {
    listen 80;

    limit_req zone=api_limit burst=10 nodelay;
    limit_conn conn_limit 10;

    location /api/ {
        proxy_pass http://backend;
    }
}

See references/security-hardening.md for complete security configuration.

Performance Optimization

Worker Configuration:

# In main context
user www-data;
worker_processes auto;  # 1 per CPU core
worker_rlimit_nofile 65535;

events {
    worker_connections 4096;
    use epoll;
    multi_accept on;
}

Gzip Compression:

# In http context
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;

Proxy Caching:

# Define cache zone
proxy_cache_path /var/cache/nginx/proxy
                 levels=1:2
                 keys_zone=app_cache:100m
                 max_size=1g
                 inactive=60m;

# Use in location
location / {
    proxy_cache app_cache;
    proxy_cache_valid 200 60m;
    proxy_cache_use_stale error timeout updating;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_pass http://backend;
}

See references/performance-tuning.md for detailed optimization strategies.

Security Headers

Add essential security headers to protect against common vulnerabilities:

# Create /etc/nginx/snippets/security-headers.conf
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Include in server blocks:

server {
    include snippets/security-headers.conf;
    # ... rest of config
}

Access Control

Restrict access by IP address:

server {
    listen 80;
    server_name admin.example.com;

    # Allow specific IPs
    allow 10.0.0.0/8;
    allow 203.0.113.0/24;

    # Deny all others
    deny all;

    location / {
        proxy_pass http://admin_backend;
    }
}

Decision Framework

Choose nginx for: Performance-critical workloads (10K+ connections), reverse proxy, load balancing, static file serving, modern application stacks.

Choose alternatives for: Apache (.htaccess, mod_php, legacy apps), Caddy (auto-HTTPS, simpler config), Traefik (dynamic containers), Envoy (service mesh).

Safety Checklist

Before deploying nginx configurations:

  • Test configuration syntax: sudo nginx -t
  • Use reload, not restart: sudo systemctl reload nginx (zero downtime)
  • Check error logs: sudo tail -f /var/log/nginx/error.log
  • Verify SSL/TLS: openssl s_client -connect domain:443 -servername domain
  • Test externally: curl -I https://domain.com
  • Monitor worker processes: ps aux | grep nginx
  • Check open connections: netstat -an | grep :80 | wc -l
  • Verify backend health: curl -I http://localhost:8080

Troubleshooting

Quick fixes: Test config (sudo nginx -t), check logs (/var/log/nginx/error.log), verify backend (curl http://127.0.0.1:3000).

Common errors: 502 (backend down), 504 (timeout - increase proxy_read_timeout), 413 (upload size - set client_max_body_size).

See references/troubleshooting.md for complete debugging guide.

Integration Points

Related Skills:

  • implementing-tls - Certificate generation and automation (Let's Encrypt, cert-manager)
  • load-balancing-patterns - Advanced load balancing architecture and decision frameworks
  • deploying-applications - Application deployment strategies with nginx integration
  • security-hardening - Complete server security beyond nginx-specific configuration
  • configuring-firewalls - Firewall rules for HTTP/HTTPS access
  • dns-management - DNS configuration for nginx virtual hosts
  • kubernetes-operations - nginx Ingress Controller for Kubernetes

Additional Resources

Progressive Disclosure:

  • references/installation-guide.md - Detailed installation for all platforms
  • references/configuration-structure.md - Complete nginx.conf anatomy
  • references/static-sites.md - Static hosting patterns (basic, SPA, PHP)
  • references/reverse-proxy.md - Advanced proxy scenarios and API gateway patterns
  • references/load-balancing.md - All algorithms, health checks, sticky sessions
  • references/ssl-tls-config.md - Complete TLS configuration and certificate setup
  • references/performance-tuning.md - Workers, caching, compression, buffers
  • references/security-hardening.md - Rate limiting, headers, access control
  • references/troubleshooting.md - Common errors and debugging techniques

Working Examples:

  • examples/static-site/ - Static website and SPA configurations
  • examples/reverse-proxy/ - Node.js, WebSocket, API gateway examples
  • examples/load-balancing/ - All load balancing algorithms
  • examples/ssl-tls/ - Modern TLS and mTLS configurations
  • examples/performance/ - High-traffic optimization and caching
  • examples/security/ - Rate limiting and security hardening

Reusable Snippets:

  • snippets/ssl-modern.conf - Modern TLS configuration
  • snippets/proxy-params.conf - Standard proxy headers
  • snippets/security-headers.conf - OWASP security headers
  • snippets/cache-static.conf - Static asset caching

Source

git clone https://github.com/ancoleman/ai-design-components/blob/main/skills/configuring-nginx/SKILL.mdView on GitHub

Overview

This skill guides engineers through configuring nginx for static file serving, reverse proxying backend apps, load balancing, and SSL/TLS termination. It delivers production-ready patterns with modern security practices like TLS 1.3, rate limiting, and security headers to harden web infrastructure.

How This Skill Works

Nginx uses hierarchical configuration contexts (global, http, server) and upstream blocks to define load-balanced backends. It demonstrates static site serving, reverse proxying to backend services, and TLS termination with secure headers and caching rules to optimize performance.

When to Use It

  • Setting up a web server for static sites or single-page applications
  • Configuring a reverse proxy for backend apps (Node.js, Python, Ruby, Go)
  • Implementing load balancing across multiple backend servers
  • Terminating SSL/TLS for HTTPS traffic with TLS 1.3
  • Adding caching, rate limiting, and WebSocket proxying for APIs

Quick Start

  1. Step 1: Install nginx, enable and start the service on your OS
  2. Step 2: Add upstream and server blocks for your app or static site, then test with nginx -t
  3. Step 3: Configure TLS, security headers, and optional rate limiting, then reload nginx

Best Practices

  • Use upstream blocks for load balancing and keepalive to backend servers
  • Enable TLS 1.3, secure defaults, HSTS, and HTTP/2 where possible
  • Serve static assets with long cache durations and immutable headers
  • Implement rate limiting and basic request filtering to mitigate abuse
  • Test configurations with nginx -t and reload safely, monitoring logs

Example Use Cases

  • Static site hosting with a cache-friendly asset strategy
  • Reverse proxy setup for a Node.js backend preserving client IP
  • HTTPS termination with Let's Encrypt and automated renewals
  • Load-balanced backend pool with health checks and failover
  • API gateway-style routing with WebSocket support and rate limiting

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers