Nginx Cheat Sheet

# /etc/nginx/nginx.conf
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/conf.d/*.conf;
}

server {
    listen 80;
    server_name example.com;
    root /var/www/html;
    index index.html;
}

nginx -t              # Test config
nginx -s reload       # Reload
nginx -s stop         # Stop
systemctl restart nginx

location /images/ {
    root /var/www;
}

location = /favicon.ico {
    log_not_found off;
}

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php-fpm.sock;
}

location ~* \.(jpg|png|gif)$ {
    expires 30d;
}

# 1. = exact match
# 2. ^~ prefix (stops search)
# 3. ~ or ~* regex
# 4. prefix match (longest)

location / {
    proxy_pass http://localhost:3000;
}

location /api/ {
    proxy_pass http://backend:8080/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

location /ws/ {
    proxy_pass http://backend:8080;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

upstream backend {
    server 10.0.0.1:8080 weight=3;
    server 10.0.0.2:8080;
    server 10.0.0.3:8080 backup;
}

server {
    location / {
        proxy_pass http://backend;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.crt;
    ssl_certificate_key /etc/ssl/private/example.key;
}

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

# Certbot location
location /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

location ~* \.(css|js|jpg|png|gif|ico)$ {
    expires 30d;
    add_header Cache-Control "public, no-transform";
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m;

server {
    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 1h;
        proxy_cache_valid 404 1m;
        proxy_pass http://backend;
    }
}

location /api/ {
    add_header Cache-Control "no-store, no-cache";
    expires -1;
}

server_tokens off;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

server {
    location /api/ {
        limit_req zone=mylimit burst=20 nodelay;
    }
}

location /admin {
    allow 192.168.1.0/24;
    deny all;
}

location /admin {
    auth_basic "Admin Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

# Temporary redirect
return 302 https://example.com$request_uri;

# Permanent redirect
return 301 https://example.com$request_uri;

# Internal rewrite
rewrite ^/old-page$ /new-page permanent;
rewrite ^/blog/(\d+)$ /posts/$1 last;

location / {
    try_files $uri $uri/ /index.html;
}

rewrite ^/(.*)/$ /$1 permanent;

access_log /var/log/nginx/access.log;
access_log off;  # Disable

error_log /var/log/nginx/error.log warn;
# Levels: debug, info, notice, warn, error, crit

log_format main '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $body_bytes_sent '
                '"$http_referer" "$http_user_agent"';

access_log /var/log/nginx/access.log main;

map $status $loggable {
    ~^[23] 0;
    default 1;
}

access_log /var/log/nginx/access.log combined if=$loggable;