Nginx Configuration Cheatsheet

Quick reference for Nginx directives covering basic config, location blocks, reverse proxy, SSL/TLS, caching, security, performance, and logging

64 commands

server { }

Define a server block

server { listen 80; server_name example.com; }

listen

Specify listening port

listen 80;

listen (IPv6)

Listen on IPv6

listen [::]:80;

server_name

Set server name (domain)

server_name example.com www.example.com;

root

Set document root

root /var/www/html;

index

Set default index files

index index.html index.htm;

worker_processes

Set number of worker processes

worker_processes auto;

worker_connections

Max connections per worker

worker_connections 1024;

include

Include external config files

include /etc/nginx/conf.d/*.conf;

nginx -t

Test configuration syntax

nginx -t

nginx -s reload

Reload configuration

nginx -s reload

nginx -s stop

Stop Nginx

nginx -s stop

location /

Prefix match location

location / { try_files $uri $uri/ =404; }

location = /path

Exact match location

location = /favicon.ico { log_not_found off; }

location ~ regex

Regex match (case-sensitive)

location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; }

location ~* regex

Regex match (case-insensitive)

location ~* \.(jpg|jpeg|png|gif)$ { expires 30d; }

location ^~ /path

Priority prefix match

location ^~ /images/ { root /data; }

try_files

Try files in order

try_files $uri $uri/ /index.html;

alias

Replace location path with alias

location /static/ { alias /var/www/assets/; }

return

Return specified status code

return 301 https://$host$request_uri;

rewrite

Rewrite URL

rewrite ^/old/(.*)$ /new/$1 permanent;

proxy_pass

Forward requests to backend

proxy_pass http://127.0.0.1:3000;

proxy_set_header Host

Set Host header

proxy_set_header Host $host;

proxy_set_header X-Real-IP

Forward client IP to backend

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For

Forward proxy chain IPs

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto

Forward original protocol

proxy_set_header X-Forwarded-Proto $scheme;

upstream

Define upstream server group

upstream backend { server 127.0.0.1:3000; server 127.0.0.1:3001; }

proxy_read_timeout

Backend read timeout

proxy_read_timeout 90s;

proxy_connect_timeout

Backend connect timeout

proxy_connect_timeout 30s;

proxy_buffering

Enable/disable proxy buffering

proxy_buffering off;

listen 443 ssl

Listen on 443 with SSL

listen 443 ssl;

ssl_certificate

SSL certificate file path

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key

SSL private key file path

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_protocols

Allowed SSL/TLS protocols

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers

Specify cipher suites

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers

Prefer server cipher suites

ssl_prefer_server_ciphers on;

ssl_session_cache

Set SSL session cache

ssl_session_cache shared:SSL:10m;

ssl_session_timeout

SSL session timeout

ssl_session_timeout 1d;

expires

Set response expiration

expires 30d;

add_header Cache-Control

Add Cache-Control header

add_header Cache-Control 'public, max-age=31536000';

proxy_cache_path

Set proxy cache path

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m;

proxy_cache

Specify proxy cache zone

proxy_cache my_cache;

proxy_cache_valid

Set cache validity period

proxy_cache_valid 200 60m;

proxy_cache_bypass

Conditions to bypass cache

proxy_cache_bypass $http_pragma;

deny

Deny access from specified IP

deny 192.168.1.100;

allow

Allow access from specified IP

allow 10.0.0.0/8;

auth_basic

Enable Basic authentication

auth_basic 'Restricted Area';

auth_basic_user_file

Specify Basic auth user file

auth_basic_user_file /etc/nginx/.htpasswd;

add_header X-Frame-Options

Clickjacking protection header

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options

MIME sniffing prevention header

add_header X-Content-Type-Options nosniff;

limit_req_zone

Define rate limit zone

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

limit_req

Apply rate limiting

limit_req zone=one burst=20 nodelay;

gzip

Enable gzip compression

gzip on;

gzip_types

Specify MIME types for gzip

gzip_types text/plain text/css application/json application/javascript;

gzip_min_length

Minimum size for gzip

gzip_min_length 256;

sendfile

Enable sendfile (fast file transfer)

sendfile on;

tcp_nopush

Enable TCP_NOPUSH

tcp_nopush on;

tcp_nodelay

Enable TCP_NODELAY

tcp_nodelay on;

keepalive_timeout

Set Keep-Alive timeout

keepalive_timeout 65;

access_log

Set access log path

access_log /var/log/nginx/access.log;

error_log

Set error log path and level

error_log /var/log/nginx/error.log warn;

log_format

Define custom log format

log_format main '$remote_addr - $remote_user [$time_local] "$request" $status';

access_log off

Disable access log

access_log off;

open_log_file_cache

Set log file cache

open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;