Nginx: Hacks and Configuration cheat sheet

The cheat sheet is for Nginx configurations on Linux based systems like ubuntu.

Nginx config file path:

/etc/nginx/nginx.conf

The below is the tree structure of /etc/nginx/ (these are the main files and folders we need to learn)

├── nginx.conf
├── sites-available
│ └── default
├── sites-enabled
│ └── default -> /etc/nginx/sites-available/default

open nginx.conf and you may see these two lines on the bottom of config file.

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

The above 2 lines says include all the config files from the corresponding folders.

sites-available folder is for maintaining a copy of your nginx files, so usually we link sites-available with sites-enabled.

So let's write a sample nginx config inside
sites-enabled
│ └── thatcoder_space.conf

touch thatcoder_space.conf
vim thatcoder_space.conf
server {
        listen 80;
        server_name thatcoder.space;
        location / {
            proxy_pass http://localhost:4060;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
    }

The above config file proxying all the request to localhost:4060.
So run your backend service inside a port and proxy request from your domain to that service.

To enable this this configuration link this with site-enabled folder using below command;

cd sites-enabled
sudo ln -s ../sites-available/thatcoder_space.conf .
ls -l

Now if you check the tree,

├── sites-enabled
└── thatcoder_space.conf -> /etc/nginx/sitesavailable/thatcoder_space.conf

Now restart your nginx

sudo service nginx reload

Ta da! Your site is live

To serve static pages or assets: ( use this for hosting single page web apps as well like react. angular, vue.js)

 location / {
                root /home/user/project-directory-path;
                try_files $uri;
        }
location ~* \.(js|jpg|txt|ico|json|png|css|xml|html)$ {
                root /home/user/project-directory-path;
        }
 location ~* /_/(.*) {
                alias /home/user/project-directory-path;
                try_files $1.html $1 =404;
        }

To block direct IP serving:

server {
        listen 80;
        server_name _;
        return 404;
    }

Cors and Header related

#to all domain
add_header 'Access-Control-Allow-Origin' '*';
# for specific domain
#add_header 'Access-Control-Allow-Origin' '*.thatcoder.space';
add_header 'Access-Control-Allow-Credentials' 'true';

# to expose location header
add_header 'Access-Control-Expose-Headers': 'Location';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Location,Accept,Authorization,Cache-Control,Content-Type';

For SSL configuration


listen 443 ssl; //replace listen 80

ssl_certificate /etc/nginx/certs/thatcoder.crt;
ssl_certificate_key /etc/nginx/certs/thatcoder.key;

Use let's encrypt to generate SSL certificate

Gzip configurations

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

For logging and formatting

log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';


access_log /var/log/nginx/access.log timed_combined;
error_log /var/log/nginx/error.log; 

To see error and access log

sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log

To redirect to another domain

server {
        listen 80;
        server_name request-from.com;
        return 301 https://redirect-to.com/$request_uri;
}

301 for permanent redirect use 302 for temporary redirect.

Redirecting /blog/url to https://blog.domain.com/url

 location =  /blog/url {
            rewrite /blog/url https://blog.domain.com/url;
        }

other redirection hacks

location = /tag/blog/page/2/ {
    return 301 /blog/;
}  

or

 rewrite /legal /privacy-policy permanent;
#to bypass cache through header add this inside location block
set $nocache 1;

Strict security rules - for A+ Grade in SSL benchmark

ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#ssl_ciphers ECDH-ECDSA-AES128-CBC-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-CBC-SHA384:ECDH-E$
#ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;

Get the latest posts delivered right to your inbox.