Nginx Config Guide
Reverse Proxy with SSL
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 60s;
proxy_buffering on;
}
}
Gzip & Static Files
http {
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/plain text/css text/xml
application/json application/javascript
application/xml+rss image/svg+xml;
server {
# Static files with long cache
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2)$ {
root /var/www/html;
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# Brotli pre-compressed files
location ~* \.(js|css)$ {
gzip_static on; # serve .gz if exists
}
}
}
Rate Limiting
http {
# Define rate limit zone
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
location /login {
limit_req zone=login burst=5;
limit_req_status 429;
proxy_pass http://backend;
}
}
}