DevOps & Cloud68 entries
Nginx Server
Server blocks, reverse proxy, SSL, load balancing, caching, and rate limiting
1Service Management
sudo systemctl start nginx | Start Nginx service |
sudo systemctl stop nginx | Stop Nginx service |
sudo systemctl restart nginx | Restart Nginx (drops connections) |
sudo systemctl reload nginx | Graceful reload without downtime |
sudo systemctl enable nginx | Enable Nginx on boot |
sudo systemctl status nginx | Check Nginx service status |
nginx -t | Test configuration syntax |
nginx -T | Test and dump full configuration |
nginx -v | Show Nginx version |
nginx -V | Show version and compile options |
nginx -s reload | Send reload signal to master process |
nginx -s quit | Graceful shutdown |
2Server Blocks (Virtual Hosts)
server { listen 80; } | Define a server block on port 80 |
server_name example.com www.example.com; | Set domain names for server block |
root /var/www/html; | Set document root directory |
index index.html index.php; | Set default index files |
error_log /var/log/nginx/error.log; | Set error log path |
access_log /var/log/nginx/access.log; | Set access log path |
sudo ln -s /etc/nginx/sites-available/site /etc/nginx/sites-enabled/ | Enable a site config |
sudo rm /etc/nginx/sites-enabled/site | Disable a site config |
3Location Blocks & Routing
location / { try_files $uri $uri/ =404; } | Serve files or return 404 |
location /api/ { proxy_pass http://backend; } | Proxy requests to backend |
location ~ \.php$ { ... } | Regex match for PHP files |
location ^~ /images/ { ... } | Prefix match (priority over regex) |
location = /health { return 200; } | Exact match for health check |
try_files $uri $uri/ /index.php?$query_string; | SPA/Laravel-style routing fallback |
rewrite ^/old-path$ /new-path permanent; | Permanent redirect (301) |
return 301 https://$host$request_uri; | Redirect HTTP to HTTPS |
4Reverse Proxy
proxy_pass http://localhost:3000; | Forward to backend server |
proxy_set_header Host $host; | Pass original Host header |
proxy_set_header X-Real-IP $remote_addr; | Pass client real IP |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | Pass forwarded-for chain |
proxy_set_header X-Forwarded-Proto $scheme; | Pass original protocol |
proxy_http_version 1.1; | Use HTTP/1.1 for keep-alive |
proxy_set_header Upgrade $http_upgrade; | Enable WebSocket upgrade |
proxy_set_header Connection "upgrade"; | WebSocket connection header |
5SSL / HTTPS
listen 443 ssl; | Listen on HTTPS port |
ssl_certificate /path/fullchain.pem; | Set SSL certificate path |
ssl_certificate_key /path/privkey.pem; | Set SSL private key path |
ssl_protocols TLSv1.2 TLSv1.3; | Allow only modern TLS versions |
ssl_prefer_server_ciphers on; | Prefer server cipher order |
ssl_session_cache shared:SSL:10m; | Enable SSL session cache (10MB) |
sudo certbot --nginx -d example.com | Install Let's Encrypt certificate |
add_header Strict-Transport-Security "max-age=31536000" always; | Enable HSTS header |
6Load Balancing
upstream backend { server 127.0.0.1:3001; server 127.0.0.1:3002; } | Define upstream server group |
upstream backend { least_conn; ... } | Use least connections algorithm |
upstream backend { ip_hash; ... } | Sticky sessions by client IP |
server 127.0.0.1:3001 weight=3; | Set server weight for balancing |
server 127.0.0.1:3001 backup; | Mark server as backup only |
server 127.0.0.1:3001 max_fails=3 fail_timeout=30s; | Set health check parameters |
7Caching & Performance
gzip on; | Enable gzip compression |
gzip_types text/css application/javascript; | Set MIME types to compress |
gzip_min_length 256; | Minimum size to trigger compression |
expires 30d; | Set cache expiry to 30 days |
add_header Cache-Control "public, no-transform"; | Set cache control header |
proxy_cache_path /tmp/cache levels=1:2 keys_zone=my_cache:10m; | Define proxy cache zone |
proxy_cache my_cache; | Enable proxy caching |
client_max_body_size 50m; | Set max upload size to 50MB |
sendfile on; | Enable efficient file serving |
worker_connections 1024; | Max connections per worker |
8Security & Headers
deny all; | Block access to location |
allow 192.168.1.0/24; | Allow access from IP range |
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; | Define rate limiting zone |
limit_req zone=api burst=20 nodelay; | Apply rate limit with burst |
add_header X-Frame-Options "SAMEORIGIN"; | Prevent clickjacking |
add_header X-Content-Type-Options "nosniff"; | Prevent MIME type sniffing |
server_tokens off; | Hide Nginx version in headers |
location ~ /\.ht { deny all; } | Block .htaccess files |