Introduction
Nginx (pronounced "engine-x") is a high-performance web server, reverse proxy, and load balancer. Originally created by Igor Sysoev in 2004, nginx has become one of the most popular web servers in the world due to its efficiency, stability, and low resource consumption.
Key Features
- High Performance: Can handle thousands of concurrent connections
- Low Memory Usage: Efficient resource utilization
- Reverse Proxy: Route requests to backend servers
- Load Balancing: Distribute traffic across multiple servers
- SSL/TLS Termination: Handle encrypted connections
- Static File Serving: Excellent for serving static content
- HTTP Caching: Built-in caching capabilities
Installation
Ubuntu/Debian
sudo apt update
sudo apt install nginx
CentOS/RHEL/Fedora
# CentOS/RHEL
sudo yum install nginx
# Fedora
sudo dnf install nginx
macOS (using Homebrew)
brew install nginx
Starting and Enabling Nginx
# Start nginx
sudo systemctl start nginx
# Enable nginx to start on boot
sudo systemctl enable nginx
# Check status
sudo systemctl status nginx
Basic Configuration
Configuration File Structure
Nginx configuration files are typically located at:
- Main config:
/etc/nginx/nginx.conf - Site configs:
/etc/nginx/sites-available/and/etc/nginx/sites-enabled/ - Additional configs:
/etc/nginx/conf.d/
Basic nginx.conf Structure
# Main context
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Events context
events {
worker_connections 1024;
use epoll;
}
# HTTP context
http {
# MIME types and basic settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging
access_log /var/log/nginx/access.log;
# Performance settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# Include additional configurations
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Common Use Cases
1. Static Web Server
Create a configuration file for serving static content:
server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
# Optimize static file serving
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
2. Reverse Proxy
Route requests to a backend application server:
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
3. Load Balancer
Distribute traffic across multiple backend servers:
upstream backend {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
4. SSL/HTTPS Configuration
Configure SSL termination with Let's Encrypt certificates:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Advanced Configurations
Rate Limiting
Protect your server from abuse:
http {
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
listen 80;
server_name api.example.com;
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
}
}
Caching
Implement HTTP caching:
http {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g
inactive=60m use_temp_path=off;
server {
listen 80;
server_name example.com;
location / {
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_pass http://backend;
}
}
}
Compression
Enable gzip compression:
http {
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json;
}
Security Best Practices
Hide Nginx Version
http {
server_tokens off;
}
Security Headers
server {
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
}
IP Restriction
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
}
Common Commands
Testing Configuration
# Test configuration syntax
sudo nginx -t
# Test configuration and show details
sudo nginx -T
Reloading Configuration
# Reload configuration without downtime
sudo systemctl reload nginx
# Or using nginx command
sudo nginx -s reload
Managing Service
# Start nginx
sudo systemctl start nginx
# Stop nginx
sudo systemctl stop nginx
# Restart nginx
sudo systemctl restart nginx
# Check status
sudo systemctl status nginx
Troubleshooting
Check Logs
# Error logs
sudo tail -f /var/log/nginx/error.log
# Access logs
sudo tail -f /var/log/nginx/access.log
Common Issues
Permission Denied (403 Forbidden)
- Check file permissions:
chmod 644 filesandchmod 755 directories - Verify nginx user has access to the document root
- Check SELinux settings if applicable
Connection Refused
- Verify nginx is running:
systemctl status nginx - Check if the port is being used:
netstat -tlnp | grep :80 - Review firewall settings
Configuration Errors
- Always test configuration before reloading:
nginx -t - Check for syntax errors in configuration files
- Verify file paths exist and are accessible
Performance Tuning
Worker Processes and Connections
# Set to number of CPU cores
worker_processes auto;
events {
# Increase for high-traffic sites
worker_connections 2048;
use epoll;
multi_accept on;
}
Buffer Sizes
http {
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
}
Timeouts
http {
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
}
Monitoring
Basic Monitoring with Stub Status
server {
listen 80;
server_name localhost;
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
}
Log Analysis
Use tools like GoAccess for log analysis:
goaccess /var/log/nginx/access.log --log-format=COMBINED
Conclusion
Nginx is a powerful and flexible web server that can handle various scenarios from simple static file serving to complex load balancing setups. The key to mastering nginx is understanding its configuration structure and gradually building up complexity as needed.
Start with basic configurations and progressively add features like SSL, caching, and security headers. Always test your configurations before applying them to production, and monitor your server's performance to ensure optimal operation.
For production deployments, consider implementing proper monitoring, logging, and backup strategies to maintain a robust web infrastructure.
Feel free to share your thoughts and criticize this article, if you find any inconvenience! Cheers
Top comments (0)