Nginx

Web server and reverse proxy configuration. Manage sites, SSL certificates, load balancing, and traffic routing.

65 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Control

Start/stop/reload

12commands

Config

Configuration

8commands

Logs

Log management

8commands

Reverse Proxy

Proxy & load balancing

10commands

SSL/TLS

HTTPS & certificates

8commands

Performance

Caching & optimization

8commands

Security

Headers & access control

8commands

Install Nginx (macOS)

$ brew install nginx

Install Nginx using Homebrew on macOS

Install Nginx (Linux)

$ sudo apt install nginx -y

Install Nginx using APT on Debian/Ubuntu Linux

Check Nginx version

$ nginx -v

Verify Nginx is installed and display version

Enable on boot

$ sudo systemctl enable nginx

Enable Nginx to start on system boot

Graceful stop

$ sudo nginx -s quit

Gracefully stop Nginx (finish current requests)

Reload config

$ sudo nginx -s reload

Reload configuration without stopping

Reopen log files

$ sudo nginx -s reopen

Reopen log files (for log rotation)

Restart (systemd)

$ sudo systemctl restart nginx

Restart Nginx service

Start Nginx

$ sudo nginx

Start Nginx server

Check status (systemd)

$ sudo systemctl status nginx

Check Nginx service status

Stop Nginx

$ sudo nginx -s stop

Stop Nginx server immediately

Test configuration

$ sudo nginx -t

Test configuration syntax

Test config (verbose)

$ sudo nginx -T

Test config and dump full configuration

Show version

$ nginx -v

Show Nginx version

Show version and modules

$ nginx -V

Show version, compiler, and configure arguments

Check specific config

$ sudo nginx -c /path/to/nginx.conf -t

Test a specific configuration file

Show config path

$ nginx -t 2>&1 | grep 'configuration file'

Show path to main configuration file

Disable site

$ sudo rm /etc/nginx/sites-enabled/<site>

Disable a site configuration

Edit main config

$ sudo nano /etc/nginx/nginx.conf

Edit main Nginx configuration

Edit site config

$ sudo nano /etc/nginx/sites-available/<site>

Edit site-specific configuration

Enable site

$ sudo ln -s /etc/nginx/sites-available/<site> /etc/nginx/sites-enabled/

Enable a site configuration

List enabled sites

$ ls -la /etc/nginx/sites-enabled/

List all enabled site configurations

List available sites

$ ls -la /etc/nginx/sites-available/

List all available site configurations

Find 404 errors

$ sudo grep " 404 " /var/log/nginx/access.log | tail -20

Show recent 404 errors

View access log

$ sudo tail -f /var/log/nginx/access.log

Follow access log in real-time

Truncate logs

$ sudo truncate -s 0 /var/log/nginx/access.log /var/log/nginx/error.log

Clear log files without deleting them

View error log

$ sudo tail -f /var/log/nginx/error.log

Follow error log in real-time

Show last 100 errors

$ sudo tail -n 100 /var/log/nginx/error.log

Show last 100 lines of error log

Search in access log

$ sudo grep "pattern" /var/log/nginx/access.log

Search for pattern in access log

Top requesting IPs

$ sudo awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Show top 20 IPs by request count

Top requested URLs

$ sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Show top 20 requested URLs

IP hash session persistence

$ upstream backend { ip_hash; server 127.0.0.1:3001; server 127.0.0.1:3002; }

Same client IP always reaches same backend

Least connections balancing

$ upstream backend { least_conn; server 127.0.0.1:3001; server 127.0.0.1:3002; }

Route to server with fewest active connections

Load balance round-robin

$ upstream backend { server 127.0.0.1:3001; server 127.0.0.1:3002; }

Distribute traffic across multiple backends

Weighted load balancing

$ upstream backend { server 127.0.0.1:3001 weight=3; server 127.0.0.1:3002 weight=1; }

Distribute traffic with custom weights

Health check with failover

$ server 127.0.0.1:3001 max_fails=3 fail_timeout=30s; server 127.0.0.1:3002 backup;

Mark server down after 3 failures with backup

Disable proxy buffering

$ proxy_buffering off; proxy_cache off;

Disable buffering for SSE or streaming

Reverse proxy to port 3000

$ proxy_pass http://localhost:3000;

Forward requests to backend app

Pass real IP to backend

$ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Forward client IP to backend service

Proxy timeouts

$ proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s;

Set connection and read timeouts for backend

WebSocket proxy

$ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";

Enable WebSocket connections through proxy

SSL certificate paths

$ ssl_certificate /etc/ssl/certs/example.com.crt; ssl_certificate_key /etc/ssl/private/example.com.key;

Configure certificate and key file locations

Install Let's Encrypt certificate

$ sudo certbot --nginx -d example.com -d www.example.com

Obtain free SSL with Certbot

Enable HSTS

$ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Force browsers to always use HTTPS

Modern TLS protocols only

$ ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on;

Disable outdated SSL versions

HTTP to HTTPS redirect

$ server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }

Redirect all HTTP to HTTPS

Renew certificates

$ sudo certbot renew

Renew all Let's Encrypt certificates

Test certificate renewal

$ sudo certbot renew --dry-run

Test renewal process without renewing

SSL session cache

$ ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;

Cache SSL sessions for performance

Browser cache static assets

$ location ~* \.(jpg|css|js|svg|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; }

Cache static files for one year

Limit concurrent connections

$ limit_conn_zone $binary_remote_addr zone=addr:10m; limit_conn addr 10;

Restrict concurrent connections per IP

Enable gzip compression

$ gzip on; gzip_types text/plain text/css application/json application/javascript;

Compress text responses to reduce bandwidth

Keepalive upstream connections

$ upstream backend { server 127.0.0.1:3000; keepalive 32; }

Reuse connections to backend servers

Disable logging for static files

$ location ~* \.(jpg|css|js|ico)$ { access_log off; log_not_found off; }

Reduce I/O by skipping static file logs

Apply rate limit to location

$ limit_req zone=mylimit burst=20 nodelay;

Apply rate limit with burst allowance

Rate limit per IP

$ limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

Limit each IP to 10 requests per second

Worker process tuning

$ worker_processes auto; worker_rlimit_nofile 100000;

Auto-configure workers per CPU core

Enable basic authentication

$ auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;

Require password for protected areas

Block IP address

$ deny 192.168.1.100; allow all;

Block specific IP from accessing site

CORS headers for API

$ add_header Access-Control-Allow-Origin "https://example.com" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;

Enable cross-origin requests from specific domain

Security headers

$ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always;

Protect against clickjacking and MIME sniffing

Hide server version

$ server_tokens off;

Remove Nginx version from headers and error pages

Create htpasswd file

$ sudo htpasswd -c /etc/nginx/.htpasswd username

Create password file for basic auth

Limit upload size

$ client_max_body_size 10m;

Restrict maximum request body size

Whitelist IPs only

$ allow 192.168.1.0/24; deny all;

Restrict access to specific IP range

Discussion

Loading comments...

Nginx

Web server and reverse proxy configuration. Manage sites, SSL certificates, load balancing, and traffic routing.

65 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Control

Start/stop/reload

12commands

Config

Configuration

8commands

Logs

Log management

8commands

Reverse Proxy

Proxy & load balancing

10commands

SSL/TLS

HTTPS & certificates

8commands

Performance

Caching & optimization

8commands

Security

Headers & access control

8commands

Install Nginx (macOS)

$ brew install nginx

Install Nginx using Homebrew on macOS

Install Nginx (Linux)

$ sudo apt install nginx -y

Install Nginx using APT on Debian/Ubuntu Linux

Check Nginx version

$ nginx -v

Verify Nginx is installed and display version

Enable on boot

$ sudo systemctl enable nginx

Enable Nginx to start on system boot

Graceful stop

$ sudo nginx -s quit

Gracefully stop Nginx (finish current requests)

Reload config

$ sudo nginx -s reload

Reload configuration without stopping

Reopen log files

$ sudo nginx -s reopen

Reopen log files (for log rotation)

Restart (systemd)

$ sudo systemctl restart nginx

Restart Nginx service

Start Nginx

$ sudo nginx

Start Nginx server

Check status (systemd)

$ sudo systemctl status nginx

Check Nginx service status

Stop Nginx

$ sudo nginx -s stop

Stop Nginx server immediately

Test configuration

$ sudo nginx -t

Test configuration syntax

Test config (verbose)

$ sudo nginx -T

Test config and dump full configuration

Show version

$ nginx -v

Show Nginx version

Show version and modules

$ nginx -V

Show version, compiler, and configure arguments

Check specific config

$ sudo nginx -c /path/to/nginx.conf -t

Test a specific configuration file

Show config path

$ nginx -t 2>&1 | grep 'configuration file'

Show path to main configuration file

Disable site

$ sudo rm /etc/nginx/sites-enabled/<site>

Disable a site configuration

Edit main config

$ sudo nano /etc/nginx/nginx.conf

Edit main Nginx configuration

Edit site config

$ sudo nano /etc/nginx/sites-available/<site>

Edit site-specific configuration

Enable site

$ sudo ln -s /etc/nginx/sites-available/<site> /etc/nginx/sites-enabled/

Enable a site configuration

List enabled sites

$ ls -la /etc/nginx/sites-enabled/

List all enabled site configurations

List available sites

$ ls -la /etc/nginx/sites-available/

List all available site configurations

Find 404 errors

$ sudo grep " 404 " /var/log/nginx/access.log | tail -20

Show recent 404 errors

View access log

$ sudo tail -f /var/log/nginx/access.log

Follow access log in real-time

Truncate logs

$ sudo truncate -s 0 /var/log/nginx/access.log /var/log/nginx/error.log

Clear log files without deleting them

View error log

$ sudo tail -f /var/log/nginx/error.log

Follow error log in real-time

Show last 100 errors

$ sudo tail -n 100 /var/log/nginx/error.log

Show last 100 lines of error log

Search in access log

$ sudo grep "pattern" /var/log/nginx/access.log

Search for pattern in access log

Top requesting IPs

$ sudo awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Show top 20 IPs by request count

Top requested URLs

$ sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Show top 20 requested URLs

IP hash session persistence

$ upstream backend { ip_hash; server 127.0.0.1:3001; server 127.0.0.1:3002; }

Same client IP always reaches same backend

Least connections balancing

$ upstream backend { least_conn; server 127.0.0.1:3001; server 127.0.0.1:3002; }

Route to server with fewest active connections

Load balance round-robin

$ upstream backend { server 127.0.0.1:3001; server 127.0.0.1:3002; }

Distribute traffic across multiple backends

Weighted load balancing

$ upstream backend { server 127.0.0.1:3001 weight=3; server 127.0.0.1:3002 weight=1; }

Distribute traffic with custom weights

Health check with failover

$ server 127.0.0.1:3001 max_fails=3 fail_timeout=30s; server 127.0.0.1:3002 backup;

Mark server down after 3 failures with backup

Disable proxy buffering

$ proxy_buffering off; proxy_cache off;

Disable buffering for SSE or streaming

Reverse proxy to port 3000

$ proxy_pass http://localhost:3000;

Forward requests to backend app

Pass real IP to backend

$ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Forward client IP to backend service

Proxy timeouts

$ proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s;

Set connection and read timeouts for backend

WebSocket proxy

$ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";

Enable WebSocket connections through proxy

SSL certificate paths

$ ssl_certificate /etc/ssl/certs/example.com.crt; ssl_certificate_key /etc/ssl/private/example.com.key;

Configure certificate and key file locations

Install Let's Encrypt certificate

$ sudo certbot --nginx -d example.com -d www.example.com

Obtain free SSL with Certbot

Enable HSTS

$ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Force browsers to always use HTTPS

Modern TLS protocols only

$ ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on;

Disable outdated SSL versions

HTTP to HTTPS redirect

$ server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }

Redirect all HTTP to HTTPS

Renew certificates

$ sudo certbot renew

Renew all Let's Encrypt certificates

Test certificate renewal

$ sudo certbot renew --dry-run

Test renewal process without renewing

SSL session cache

$ ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;

Cache SSL sessions for performance

Browser cache static assets

$ location ~* \.(jpg|css|js|svg|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; }

Cache static files for one year

Limit concurrent connections

$ limit_conn_zone $binary_remote_addr zone=addr:10m; limit_conn addr 10;

Restrict concurrent connections per IP

Enable gzip compression

$ gzip on; gzip_types text/plain text/css application/json application/javascript;

Compress text responses to reduce bandwidth

Keepalive upstream connections

$ upstream backend { server 127.0.0.1:3000; keepalive 32; }

Reuse connections to backend servers

Disable logging for static files

$ location ~* \.(jpg|css|js|ico)$ { access_log off; log_not_found off; }

Reduce I/O by skipping static file logs

Apply rate limit to location

$ limit_req zone=mylimit burst=20 nodelay;

Apply rate limit with burst allowance

Rate limit per IP

$ limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

Limit each IP to 10 requests per second

Worker process tuning

$ worker_processes auto; worker_rlimit_nofile 100000;

Auto-configure workers per CPU core

Enable basic authentication

$ auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;

Require password for protected areas

Block IP address

$ deny 192.168.1.100; allow all;

Block specific IP from accessing site

CORS headers for API

$ add_header Access-Control-Allow-Origin "https://example.com" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;

Enable cross-origin requests from specific domain

Security headers

$ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always;

Protect against clickjacking and MIME sniffing

Hide server version

$ server_tokens off;

Remove Nginx version from headers and error pages

Create htpasswd file

$ sudo htpasswd -c /etc/nginx/.htpasswd username

Create password file for basic auth

Limit upload size

$ client_max_body_size 10m;

Restrict maximum request body size

Whitelist IPs only

$ allow 192.168.1.0/24; deny all;

Restrict access to specific IP range

Discussion

Loading comments...