nginx
Scannednpx machina-cli add skill chaterm/terminal-skills/nginx --openclawFiles (1)
SKILL.md
5.3 KB
Nginx Configuration and Optimization
Overview
Nginx web server configuration, reverse proxy, load balancing, performance optimization and other skills.
Basic Management
Service Control
# Start/Stop services
systemctl start nginx
systemctl stop nginx
systemctl restart nginx
systemctl reload nginx # Graceful reload config
# Configuration test
nginx -t
nginx -T # Test and print config
Configuration Files
# Main configuration file
/etc/nginx/nginx.conf
# Site configuration
/etc/nginx/conf.d/*.conf
/etc/nginx/sites-available/
/etc/nginx/sites-enabled/
# Log files
/var/log/nginx/access.log
/var/log/nginx/error.log
Basic Configuration
Static Website
server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
# Static resource caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
}
HTTPS Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
# SSL optimization
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
}
# HTTP redirect to HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
Reverse Proxy
Basic Proxy
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
WebSocket Proxy
location /ws {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400;
}
Load Balancing
Basic Configuration
upstream backend {
server 192.168.1.10:8080 weight=3;
server 192.168.1.11:8080 weight=2;
server 192.168.1.12:8080 backup;
}
server {
listen 80;
location / {
proxy_pass http://backend;
proxy_next_upstream error timeout http_500;
}
}
Load Balancing Strategies
# Round Robin (default)
upstream backend {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
# IP Hash (session persistence)
upstream backend {
ip_hash;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
# Least Connections
upstream backend {
least_conn;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
# Health Check
upstream backend {
server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;
}
Performance Optimization
Basic Optimization
# nginx.conf
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
http {
# File transfer optimization
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# Timeout settings
keepalive_timeout 65;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# Buffer settings
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 4 32k;
}
Gzip Compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml;
Common Scenarios
Scenario 1: PHP-FPM Configuration
server {
listen 80;
server_name example.com;
root /var/www/html;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Scenario 2: Rate Limiting
# Define rate limit zone
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
}
Scenario 3: Access Control
location /admin {
allow 192.168.1.0/24;
deny all;
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Troubleshooting
| Problem | Solution |
|---|---|
| Configuration error | nginx -t to test config |
| 502 Bad Gateway | Check backend service, upstream config |
| 504 Gateway Timeout | Increase proxy_read_timeout |
| Permission issues | Check file permissions, SELinux |
| Performance issues | Check worker_connections, log analysis |
Source
git clone https://github.com/chaterm/terminal-skills/blob/main/server/nginx/SKILL.mdView on GitHub Overview
This skill covers configuring Nginx for static sites, HTTPS, reverse proxying, WebSocket support, and load balancing, plus performance tuning and security hardening. You’ll learn to manage Nginx using its core configuration files, test changes safely, and deploy production-grade setups with reliable logging and metrics.
How This Skill Works
You operate Nginx by editing configuration files (primarily nginx.conf and per-site blocks under /etc/nginx/sites-available or /etc/nginx/conf.d). You enable sites by symlinking to sites-enabled and reload or gracefully reload the service to apply changes. For proxying or load balancing, you define upstream groups and proxy_pass directives, and you tune worker processes, event settings, and HTTP directives to optimize throughput and latency. TLS is configured in server blocks, with performance and security options like HTTP/2, ciphers, and HSTS. You can test configurations with nginx -t and print them with nginx -T, then reload without dropping connections.
When to Use It
- When you need to serve a static website with efficient caching and minimal overhead.
- When you want to terminate TLS at the web server and redirect HTTP to HTTPS.
- When you act as a reverse proxy or API gateway to backend services (including WebSocket support).
- When you implement load balancing across multiple backend servers with health checks and session persistence.
- When you require performance tuning (worker processes, timeouts, buffering, gzip) to handle high traffic.
Quick Start
- Install Nginx on your host.
- Create a basic site config under /etc/nginx/sites-available/example.conf with a simple server block for your domain.
- Enable the site by linking it into /etc/nginx/sites-enabled and test with nginx -t.
- Start or reload Nginx (systemctl reload nginx) and verify via the access/error logs.
Best Practices
- Keep configuration in modular blocks: separate sites in sites-available/sites-enabled and use include directives to compose the full config.
- Run nginx -t before reloads to catch syntax or mismatch errors.
- Disable server_tokens to reduce information leakage in banners.
- Use strong TLS settings (TLS 1.2/1.3, secure ciphers, HSTS) and enable HTTP/2 where supported.
- Enable appropriate caching and compression (sendfile, tcp_nopush, gzip) and tune timeout values to balance performance and reliability.
Example Use Cases
- Static site hosting with HTTPS and aggressive caching for assets (images, CSS, JS) to reduce load on origin servers.
- Reverse proxy for a Node.js API server with WebSocket support and proper headers to preserve client IPs and protocol.
- PHP-FPM backend configuration for a Laravel site, using fastcgi_pass and appropriate SCRIPT_FILENAME handling.
- Load-balanced API gateway with multiple upstream servers and health checks, using least_conn and ip_hash for session affinity when needed.
- Security-focused routing that restricts admin paths to a trusted IP range and enforces TLS with HSTS.
Frequently Asked Questions
Add this skill to your agents
