Nginx Config Cheat Sheet
Nginx configuration reference with server blocks, reverse proxy, SSL, rate limiting, and performance tuning. Copy-ready config snippets.
Server
| Command | Description | Example |
|---|---|---|
| Define a virtual server block | server { listen 80; server_name example.com; } | |
| Set listening port | listen 443 ssl; listen [::]:443 ssl; | |
| Set server domain name(s) | server_name example.com www.example.com; | |
| Set document root directory | root /var/www/html; | |
| Set default index files | index index.html index.htm index.php; | |
| Custom error pages | error_page 404 /404.html; error_page 500 502 /50x.html; | |
| Return response or redirect | return 301 https://$host$request_uri; |
Location
| Command | Description | Example |
|---|---|---|
| Match URI path | location /api/ { proxy_pass http://backend; } | |
| Exact URI match | location = /health { return 200 'OK'; } | |
| Case-sensitive regex match | location ~ \.php$ { fastcgi_pass ...; } | |
| Case-insensitive regex match | location ~* \.(jpg|png|gif)$ { expires 30d; } | |
| Prefix match (stops regex search) | location ^~ /static/ { root /data; } | |
| Try files in order, fallback | try_files $uri $uri/ /index.html; |
Proxy
| Command | Description | Example |
|---|---|---|
| Forward requests to backend | proxy_pass http://localhost:3000; | |
| Set headers to backend | proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; | |
| Rewrite redirect headers | proxy_redirect off; | |
| Enable/disable proxy buffering | proxy_buffering off; # for SSE/WebSocket | |
| Timeout for connecting to backend | proxy_connect_timeout 60s; | |
| Timeout for reading from backend | proxy_read_timeout 300s; |
Upstream
| Command | Description | Example |
|---|---|---|
| Define backend server group | upstream backend { server 127.0.0.1:3000; server 127.0.0.1:3001; } | |
| Backend server with weight | server 10.0.0.1:8080 weight=3; | |
| Least connections load balancing | upstream backend { least_conn; server ...; } | |
| Sticky sessions by IP | upstream backend { ip_hash; server ...; } | |
| Keep connections to upstream open | keepalive 32; |
SSL
| Command | Description | Example |
|---|---|---|
| SSL certificate file | ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
| SSL private key file | ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
| Allowed SSL/TLS protocols | ssl_protocols TLSv1.2 TLSv1.3; | |
| Allowed cipher suites | ssl_ciphers HIGH:!aNULL:!MD5; | |
| SSL session cache config | ssl_session_cache shared:SSL:10m; | |
| Enable OCSP stapling | ssl_stapling on; ssl_stapling_verify on; |
Headers
| Command | Description | Example |
|---|---|---|
| Add response header | add_header X-Frame-Options DENY; | |
| Enable HSTS | add_header Strict-Transport-Security "max-age=31536000" always; | |
| Set CSP header | add_header Content-Security-Policy "default-src 'self'"; | |
| Prevent MIME sniffing | add_header X-Content-Type-Options nosniff; |
Performance
| Command | Description | Example |
|---|---|---|
| Set cache expiry | expires 30d; # cache for 30 days | |
| Enable gzip compression | gzip on; gzip_types text/plain text/css application/json; | |
| Minimum size to compress | gzip_min_length 256; | |
| Max upload size | client_max_body_size 10m; | |
| Efficient file serving | sendfile on; tcp_nopush on; | |
| Max connections per worker | events { worker_connections 1024; } |
Logging
| Command | Description | Example |
|---|---|---|
| Set access log file | access_log /var/log/nginx/access.log; | |
| Set error log file and level | error_log /var/log/nginx/error.log warn; | |
| Custom log format | log_format main '$remote_addr - $request'; | |
| Disable access logging | location /health { access_log off; } |
Rewrite
| Command | Description | Example |
|---|---|---|
| URL rewrite rule | rewrite ^/old-page$ /new-page permanent; | |
| Rewrite flags | rewrite ^/api/(.*) /$1 break; | |
| Conditional (use sparingly) | if ($request_method = POST) { return 405; } | |
| Set a variable | set $backend http://app1; | |
| Variable mapping | map $uri $new_uri { /old /new; default $uri; } |
Rate Limiting
| Command | Description | Example |
|---|---|---|
| Define rate limit zone | limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; | |
| Apply rate limit | limit_req zone=api burst=20 nodelay; | |
| Define connection limit zone | limit_conn_zone $binary_remote_addr zone=addr:10m; | |
| Limit concurrent connections | limit_conn addr 10; |
Commands
| Command | Description | Example |
|---|---|---|
| Test config syntax | sudo nginx -t → test before reload | |
| Reload configuration | sudo nginx -s reload | |
| Stop Nginx immediately | sudo nginx -s stop | |
| Graceful shutdown | sudo nginx -s quit | |
| Show version and compile options | nginx -V → see modules and flags |
Frequently asked questions
What's the difference between Nginx and Apache?
Nginx uses an event-driven, non-blocking architecture that handles thousands of concurrent connections efficiently. Apache uses a process/thread-per-connection model. Nginx excels as a reverse proxy and for serving static files. Apache is more flexible with .htaccess and mod_rewrite. Many setups use Nginx as a reverse proxy in front of Apache.
How do I set up HTTPS with Let's Encrypt?
Install certbot, run 'certbot --nginx -d example.com', and it auto-configures SSL. For manual setup: use ssl_certificate and ssl_certificate_key directives, set ssl_protocols to TLSv1.2 TLSv1.3, and redirect HTTP to HTTPS with 'return 301 https://$host$request_uri'.
How do I configure Nginx as a reverse proxy?
In your server block, use 'location / { proxy_pass http://localhost:3000; }' with proxy_set_header directives for Host, X-Real-IP, and X-Forwarded-For. For WebSocket support, add proxy_http_version 1.1 and proxy_set_header Upgrade/Connection headers.
What does 'location' matching priority look like?
Priority order: 1) Exact match (= /path), 2) Preferential prefix (^~ /path), 3) Regex (~ or ~*) in config order, 4) Longest prefix match. Understanding this prevents unexpected routing behavior. Use 'nginx -T' to dump the full config for debugging.
How do I handle large file uploads?
Set 'client_max_body_size 100m' (or your desired limit) in the server or location block. The default is 1MB. Also consider adjusting proxy_read_timeout and proxy_send_timeout for slow uploads to backend servers.
How do I enable HTTP/2?
Add 'http2' to your listen directive: 'listen 443 ssl http2'. HTTP/2 requires HTTPS. It enables multiplexing, header compression, and server push, significantly improving performance for modern web applications.
Go from reference to real skills
Cheat sheets are great for quick lookups. Our in-depth courses take you from the fundamentals to professional-level mastery.
Browse all courses