Nginx Config Generator

How to Use This Tool

1. Choose a use case from the cards at the top. Each preset configures the form with sensible defaults for that scenario: static file serving, reverse proxy to a backend application, PHP-FPM, single page application routing, load balancing across multiple servers, HTTP redirects, or WebSocket proxying.
2. Adjust the server name to your domain and configure the listen port. Enable SSL if you have certificates from Let's Encrypt or another certificate authority.
3. Toggle optional features. Gzip compression reduces bandwidth for text-based responses. Security headers protect against clickjacking, MIME sniffing, and cross-site scripting. Static asset caching tells browsers to cache images, fonts, and scripts for 30 days. Rate limiting prevents abuse by throttling requests per IP address.
4. The configuration preview updates in real time as you change settings. Yellow warnings highlight common mistakes like missing absolute paths or default certificate locations that need updating.
5. Copy the generated configuration or download it as a .conf file. Place it in /etc/nginx/sites-available/, symlink it to sites-enabled, test with nginx -t, and reload with systemctl reload nginx.

What Is Nginx?

Nginx (pronounced "engine-x") is the world's most popular web server, powering over 34% of all websites according to W3Techs. Created by Igor Sysoev in 2004 to solve the C10K problem (handling 10,000 concurrent connections), Nginx uses an event-driven, non-blocking architecture that makes it exceptionally efficient at serving static content and proxying requests to application servers.

Unlike Apache's process-per-connection model, Nginx uses a small number of worker processes that each handle thousands of connections simultaneously through an event loop. This architecture means Nginx consumes very little memory even under heavy load, making it ideal for high-traffic websites, API gateways, and microservice architectures.

Nginx serves multiple roles in modern infrastructure: web server for static files, reverse proxy for application backends, load balancer distributing traffic across server pools, SSL/TLS termination point, HTTP cache, and mail proxy. Most production deployments use Nginx in at least one of these capacities.

Reverse Proxy Explained

A reverse proxy accepts incoming client requests and forwards them to one or more backend servers. The client communicates only with Nginx and never directly with the backend. This provides several advantages: SSL termination at the proxy layer means backend applications do not need to handle HTTPS. The proxy can add security headers, compress responses, cache content, and rate-limit requests before they reach the application.

The key directive is proxy_pass, which specifies where to forward requests. Proxy headers like X-Real-IP and X-Forwarded-For pass the original client IP to the backend, since the backend otherwise sees only the proxy's IP. The X-Forwarded-Proto header tells the backend whether the original request used HTTP or HTTPS, which is critical for generating correct redirect URLs and setting secure cookies.

For WebSocket applications, the proxy must also pass the Upgrade and Connection headers to allow the HTTP connection to upgrade to the WebSocket protocol. Without these headers, WebSocket handshakes fail silently.

SSL/TLS Configuration

SSL/TLS encryption is essential for any production website. Let's Encrypt provides free, automatically renewable certificates that are trusted by all major browsers. The ssl_certificate directive points to the full certificate chain (your certificate plus intermediate certificates), while ssl_certificate_key points to the private key.

Modern SSL configuration should disable older protocols. TLS 1.0 and 1.1 are deprecated and vulnerable to known attacks. The generated configuration enforces TLS 1.2 and 1.3 only, with strong cipher suites that prioritize forward secrecy. Forward secrecy ensures that even if the server's private key is compromised in the future, previously recorded traffic cannot be decrypted.

A common pattern is to run two server blocks: one on port 80 that redirects all HTTP traffic to HTTPS with a return 301, and one on port 443 that handles the actual application. The redirect use case in this tool generates exactly this configuration.

Performance Optimization

Gzip compression reduces the size of text-based responses (HTML, CSS, JavaScript, JSON, XML, SVG) by 60-80%. The gzip_comp_level setting balances CPU usage against compression ratio; level 6 is the recommended sweet spot. Higher levels yield diminishing returns while significantly increasing CPU time. The gzip_vary directive adds a Vary: Accept-Encoding header so caches store both compressed and uncompressed versions.

Static asset caching with expires and Cache-Control headers tells browsers to cache files locally. For assets with hashed filenames (common in modern build tools like Vite and Webpack), setting expires 30d or longer is safe because the filename changes whenever the content changes. This eliminates redundant downloads and dramatically improves page load times for returning visitors.

For CPU-intensive operations like SSL handshakes, Nginx supports session caching and OCSP stapling to reduce overhead. The worker_processes auto directive (set in the main nginx.conf, not in server blocks) automatically creates one worker per CPU core.

Security Best Practices

Security headers provide defense-in-depth against common web attacks. X-Frame-Options: SAMEORIGIN prevents your site from being embedded in iframes on other domains, blocking clickjacking attacks. X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing responses away from the declared Content-Type, which can prevent XSS attacks via malicious file uploads.

The Content-Security-Policy header is the most powerful security header. It controls which sources the browser is allowed to load scripts, styles, images, and other resources from. A strict CSP like default-src 'self' blocks all external resources and inline scripts, effectively preventing most XSS attacks. However, CSP requires careful tuning to avoid breaking legitimate functionality. Use the CSP Generator tool to build a policy that matches your application's needs.

Rate limiting with limit_req_zone and limit_req protects against brute-force attacks and denial-of-service attempts. The zone stores client IP addresses in shared memory, and the rate defines how many requests per second each IP is allowed. The burst parameter allows short traffic spikes without immediately rejecting requests. Requests that exceed the burst are rejected with a 503 status code.

For PHP applications, the location ~ /\.(?!well-known).* block denies access to hidden files like .env, .git, and .htaccess, which frequently contain sensitive configuration data. The exception for .well-known allows Let's Encrypt's ACME challenge verification to work.

Load Balancing Strategies

Nginx supports several load balancing algorithms. The default round-robin distributes requests evenly across upstream servers. The weight parameter adjusts the ratio — a server with weight 3 receives three times as many requests as one with weight 1. Other methods include least_conn (sends to the server with fewest active connections), ip_hash (ensures the same client always reaches the same server, useful for session persistence), and random with two-choice selection.

Health checks happen passively by default: if a backend fails to respond, Nginx marks it as unavailable for a configurable period. Nginx Plus (the commercial version) adds active health checks that periodically probe backends without waiting for real traffic. For the open-source version, third-party modules like nginx_upstream_check_module provide similar functionality.

Related Tools

Build Content Security Policies with the CSP Generator. Convert curl commands to code with the Curl Converter. Look up HTTP response codes with the HTTP Status Codes reference. Calculate file permissions with the Chmod Calculator. Plan network configurations with the Subnet Calculator.