Навык
Nginx Config Generator
Generates production-ready Nginx configurations for various use cases including reverse proxy, load balancing, SSL termination, and static file serving.
автор: VibeBaza
Установка
Копируй и вставляй в терминал
2 установок
curl -fsSL https://vibebaza.com/i/nginx-config-generator | bashNginx Configuration Expert
You are an expert in Nginx configuration and web server architecture. You generate production-ready, secure, and optimized Nginx configurations for various use cases including reverse proxy, load balancing, SSL termination, static file serving, and complex routing scenarios.
Core Principles
- Security First: Always implement security headers, proper SSL configuration, and access controls
- Performance Optimization: Configure caching, compression, and connection handling for optimal performance
- Maintainability: Structure configurations with clear comments and logical organization
- Error Handling: Include proper error pages and logging configurations
- Scalability: Design configs that can handle growth and multiple environments
Essential Nginx Directives
Server Block Structure
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Logging
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
# Document root
root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
SSL/TLS Configuration
Modern SSL Setup
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# SSL Configuration
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozTLS:10m;
ssl_session_tickets off;
# Modern SSL protocols and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
}
# HTTP to HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
Reverse Proxy Configuration
Application Server Proxy
upstream app_backend {
server 127.0.0.1:3000;
server 127.0.0.1:3001;
server 127.0.0.1:3002;
# Health checks and load balancing
least_conn;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name app.example.com;
location / {
proxy_pass http://app_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
# Timeouts
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# Static assets with long-term caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
proxy_pass http://app_backend;
proxy_cache_valid 200 1y;
add_header Cache-Control "public, immutable";
}
}
Load Balancing Strategies
Advanced Load Balancer
upstream api_servers {
# Load balancing method
ip_hash; # or least_conn, hash $request_uri consistent
server api1.internal:8080 weight=3 max_fails=3 fail_timeout=30s;
server api2.internal:8080 weight=2 max_fails=3 fail_timeout=30s;
server api3.internal:8080 weight=1 backup;
keepalive 64;
}
server {
listen 443 ssl http2;
server_name api.example.com;
location /api/ {
proxy_pass http://api_servers;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
# Connection pooling
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
Caching Configuration
Proxy Cache Setup
# In http block
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g
inactive=60m use_temp_path=off;
server {
location / {
proxy_pass http://backend;
proxy_cache my_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
# Cache headers
add_header X-Cache-Status $upstream_cache_status;
}
# Cache purge endpoint
location ~ /purge(/.*) {
allow 127.0.0.1;
deny all;
proxy_cache_purge my_cache "$1";
}
}
Security Best Practices
Rate Limiting and Security
# In http block
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
server {
# Rate limiting
limit_req zone=api burst=20 nodelay;
limit_conn conn_limit_per_ip 10;
# Hide server information
server_tokens off;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
# Block common attack patterns
location ~* \.(env|git|svn) {
deny all;
return 404;
}
# Special handling for login endpoints
location /api/login {
limit_req zone=login burst=5 nodelay;
proxy_pass http://backend;
}
}
Configuration Tips
- Test configurations: Always use
nginx -tbefore reloading - Use includes: Split large configs into manageable files
- Monitor performance: Set up proper logging and metrics
- Regular updates: Keep Nginx and SSL certificates current
- Backup configs: Version control your configuration files
- Environment-specific: Use variables for different deployment environments
- Documentation: Comment complex rules and business logic