Last updated
Static Website Configuration
Serve a static HTML/CSS/JS site with caching and gzip:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/example.com;
index index.html;
# Gzip compression
gzip on;
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
gzip_min_length 1024;
# Cache static assets
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff2)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# HTML — no cache (for SPA routing)
location / {
try_files $uri $uri/ /index.html;
add_header Cache-Control "no-cache";
}
}
Reverse Proxy to Node.js Application
Forward requests to a Node.js app running on port 3000:
upstream nodejs_app {
server 127.0.0.1:3000;
keepalive 64;
}
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://nodejs_app;
proxy_http_version 1.1;
# Pass real client IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass host header for virtual hosting
proxy_set_header Host $host;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
SSL/TLS Configuration with Let's Encrypt
HTTPS with modern cipher suites and HSTS:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# Let's Encrypt certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Modern TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# HSTS — force HTTPS for 1 year
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /var/www/example.com;
index index.html;
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Load Balancer Configuration
Distribute traffic across three backend servers:
# Round-robin (default)
upstream backend_pool {
server 10.0.0.1:8080;
server 10.0.0.2:8080;
server 10.0.0.3:8080;
keepalive 32;
}
# Least connections
upstream backend_least_conn {
least_conn;
server 10.0.0.1:8080;
server 10.0.0.2:8080;
server 10.0.0.3:8080;
}
# IP hash (sticky sessions)
upstream backend_sticky {
ip_hash;
server 10.0.0.1:8080;
server 10.0.0.2:8080;
server 10.0.0.3:8080 backup; # Only used if others are down
}
server {
listen 80;
location / {
proxy_pass http://backend_pool;
}
}
Security Headers
Add security headers to all responses:
server {
# ...
# Prevent MIME type sniffing
add_header X-Content-Type-Options "nosniff" always;
# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# XSS protection (legacy browsers)
add_header X-XSS-Protection "1; mode=block" always;
# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;
# Permissions policy
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
}
Rate Limiting
Protect against abuse and brute force attacks:
http {
# Define rate limit zones
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
server {
# General rate limit with burst allowance
location / {
limit_req zone=general burst=20 nodelay;
}
# Strict limit on login endpoint
location /auth/login {
limit_req zone=login burst=5;
limit_req_status 429;
}
# API rate limit
location /api/ {
limit_req zone=api burst=50 nodelay;
}
}
}
Multiple Location Blocks
Handle different URL patterns with different configurations:
server {
listen 80;
server_name example.com;
root /var/www/example.com;
# Exact match — highest priority
location = /health {
return 200 "OK";
add_header Content-Type text/plain;
}
# API requests — proxy to backend
location /api/ {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
}
# Static files — serve directly
location /static/ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# Everything else — SPA fallback
location / {
try_files $uri $uri/ /index.html;
}
}
WebSocket Proxy
Proxy WebSocket connections alongside regular HTTP:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name ws.example.com;
location /ws/ {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_read_timeout 3600s; # Keep WebSocket connections open
}
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
}
}
Worker Process Tuning
Optimize Nginx for the server's CPU count:
# nginx.conf
worker_processes auto; # One worker per CPU core
worker_rlimit_nofile 65535;
events {
worker_connections 1024; # Per worker process
use epoll; # Linux — most efficient I/O model
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off; # Hide Nginx version number
}