{"id":42871141,"url":"https://github.com/lasseh/nginx-conf","last_synced_at":"2026-01-30T13:00:48.505Z","repository":{"id":76161714,"uuid":"324801209","full_name":"lasseh/nginx-conf","owner":"lasseh","description":"Production-ready nginx configuration with HTTP/3, security hardening, and performance optimization. Enterprise-grade setup for modern web deployments.","archived":false,"fork":false,"pushed_at":"2025-11-03T18:10:37.000Z","size":195,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-11-03T20:19:32.523Z","etag":null,"topics":["api-gateway","configuration","devops","docker","http3","kubernetes","nginx","performance","production","reverse-proxy","security","server","ssl","sysadmin","tls","web-server"],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lasseh.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY-CHECKLIST.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-12-27T16:23:14.000Z","updated_at":"2025-11-03T18:10:41.000Z","dependencies_parsed_at":"2024-02-18T09:23:20.001Z","dependency_job_id":"21a53261-be67-422c-81b0-ce9fd8dcb9d0","html_url":"https://github.com/lasseh/nginx-conf","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/lasseh/nginx-conf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lasseh%2Fnginx-conf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lasseh%2Fnginx-conf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lasseh%2Fnginx-conf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lasseh%2Fnginx-conf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lasseh","download_url":"https://codeload.github.com/lasseh/nginx-conf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lasseh%2Fnginx-conf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28913285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-gateway","configuration","devops","docker","http3","kubernetes","nginx","performance","production","reverse-proxy","security","server","ssl","sysadmin","tls","web-server"],"created_at":"2026-01-30T13:00:32.987Z","updated_at":"2026-01-30T13:00:48.485Z","avatar_url":"https://github.com/lasseh.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Modern Nginx Configuration\n\nProduction-ready, modular nginx configuration for secure and performant web hosting. Battle-tested architecture suitable for single sites, multi-domain hosting, microservices, and API gateways.\n\n## ✨ Features\n\n### Security First\n- **Modern TLS** - TLS 1.2/1.3 only, Mozilla Intermediate profile\n- **Security Headers** - HSTS, CSP, X-Frame-Options, X-Content-Type-Options\n- **Rate Limiting** - Per-endpoint DDoS protection\n- **Secure Defaults** - Server tokens off, deny dangerous files, HTTPS-only\n\n### Performance Optimized\n- **HTTP/2** - Multiplexed connections for faster load times\n- **Gzip Compression** - Optimized static asset delivery\n- **Connection Pooling** - Keepalive and upstream connection optimization\n- **Smart Caching** - Configurable cache strategies for static and dynamic content\n\n### Modular Architecture\n- **Reusable Snippets** - DRY configuration with include files\n- **Separation of Concerns** - Global configs, site configs, security headers\n- **Template Library** - 11 production-ready site templates\n- **Easy Customization** - Clear documentation and examples\n\n## 📁 Directory Structure\n\n```\n/etc/nginx/\n├── nginx.conf                  # Main configuration file\n│\n├── conf.d/                     # Global HTTP-level configurations\n│   ├── logformat.conf          # Custom log formats\n│   ├── maps.conf               # WebSocket upgrade mapping\n│   ├── mime.types              # MIME type definitions\n│   ├── performance.conf        # Performance tuning\n│   ├── proxy.conf              # Proxy timeout and buffering defaults\n│   ├── security.conf           # Global security settings\n│   └── tls-intermediate.conf   # SSL/TLS configuration\n│\n├── snippets/                   # Reusable configuration blocks\n│   ├── deny-files.conf         # Block access to sensitive files\n│   ├── error-pages.conf        # Custom error pages (502, 503, 504)\n│   ├── gzip.conf               # Compression settings\n│   ├── letsencrypt.conf        # ACME challenge support\n│   ├── proxy-headers.conf      # Standard proxy headers\n│   ├── rate-limiting.conf      # Rate limit configurations\n│   ├── security-headers.conf   # Common security headers\n│   ├── static-files.conf       # Static asset caching\n│   └── stub-status.conf        # Nginx status endpoint\n│\n├── sites-available/            # Site configuration templates\n│   ├── api-gateway.example.com.conf    # Microservices API gateway\n│   ├── development.conf                 # Local development\n│   ├── docker-compose.conf             # Container routing\n│   ├── example-site.com.conf           # Full-featured multi-subdomain\n│   ├── grafana.example.com.conf        # Grafana monitoring\n│   ├── librenms.example.com.conf       # LibreNMS network monitoring\n│   ├── load-balancer.conf              # Multi-server load balancing\n│   ├── netbox.example.com.conf         # NetBox IPAM\n│   ├── reverse-proxy.conf              # Simple reverse proxy\n│   ├── static-site.conf                # Static HTML/SPA\n│   └── wordpress.conf                  # WordPress with PHP-FPM\n│\n├── sites-enabled/              # Active site configurations (symlinks)\n│   ├── defaults-80.conf        # HTTP default server (HTTPS redirect)\n│   └── defaults-443.conf       # HTTPS default server (close invalid requests)\n│\n├── sites-security/             # Per-site security headers (CSP, etc)\n│   ├── example-site.com.conf\n│   └── whynoipv6.com.conf\n│\n├── html/errors/                # Custom error pages\n│   ├── 502.html                # Bad Gateway (backend down)\n│   ├── 503.html                # Service Unavailable (maintenance)\n│   └── 504.html                # Gateway Timeout (backend slow)\n│\n└── examples/                   # Reference configurations\n    ├── sse-example.conf        # Server-Sent Events\n    └── websocket-example.conf  # WebSocket support\n```\n\n## 🚀 Quick Start\n\n### 1. Installation\n\n**Ubuntu/Debian:**\n```bash\nsudo apt update\nsudo apt install nginx\n```\n\n**CentOS/RHEL:**\n```bash\nsudo yum install nginx\n```\n\n### 2. Deploy Configuration\n\n```bash\n# Clone repository\ngit clone https://github.com/lasseh/nginx-conf.git\ncd nginx-conf\n\n# Backup existing nginx config\nsudo mv /etc/nginx /etc/nginx.backup\n\n# Deploy this configuration\nsudo cp -r . /etc/nginx/\n\n# Test configuration\nsudo nginx -t\n\n# Start nginx\nsudo systemctl start nginx\nsudo systemctl enable nginx\n```\n\n### 3. Create Your First Site\n\n```bash\n# Copy template\nsudo cp /etc/nginx/sites-available/static-site.conf /etc/nginx/sites-available/mysite.com.conf\n\n# Edit configuration\nsudo nano /etc/nginx/sites-available/mysite.com.conf\n# Update: server_name, ssl_certificate paths, root directory\n\n# Obtain SSL certificate\nsudo certbot certonly --webroot \\\n  -d mysite.com -d www.mysite.com \\\n  -w /var/www/_letsencrypt \\\n  --email your@email.com -n --agree-tos\n\n# Enable site\nsudo ln -s /etc/nginx/sites-available/mysite.com.conf /etc/nginx/sites-enabled/\n\n# Test and reload\nsudo nginx -t \u0026\u0026 sudo nginx -s reload\n```\n\n## 📚 Documentation\n\n### Core Guides\n- **[Sites Available Guide](docs/SITES-AVAILABLE-GUIDE.md)** - Complete reference for all 11 site templates\n- **[Security Checklist](docs/SECURITY-CHECKLIST.md)** - Security hardening guide\n\n### Specific Use Cases\n- **[API Gateway Setup](docs/API-GATEWAY-SETUP.md)** - Microservices routing configuration\n- **[API Gateway Diagram](docs/API-GATEWAY-DIAGRAM.md)** - Architecture visualization\n- **[Best Practice Site Setup](docs/BEST-PRACTICE-SITE-SETUP.md)** - Multi-subdomain configuration\n- **[Monitoring Setup](docs/MONITORING-SETUP.md)** - Logging and health checks\n\n## 🎯 Common Use Cases\n\n### Static Website or SPA (React, Vue, Angular)\n```bash\nsudo cp sites-available/static-site.conf sites-available/yoursite.com.conf\n# Edit configuration, enable site, reload nginx\n```\n\n### Reverse Proxy (Node.js, Python, Go Backend)\n```bash\nsudo cp sites-available/reverse-proxy.conf sites-available/yoursite.com.conf\n# Update upstream backend, enable site, reload nginx\n```\n\n### API Gateway (Microservices)\n```bash\nsudo cp sites-available/api-gateway.example.com.conf sites-available/api.yoursite.com.conf\n# Configure service routing, enable site, reload nginx\n```\n\n### WordPress Site\n```bash\nsudo cp sites-available/wordpress.conf sites-available/yoursite.com.conf\n# Update database and PHP-FPM settings, enable site, reload nginx\n```\n\n### Docker Compose Services\n```bash\nsudo cp sites-available/docker-compose.conf sites-available/yoursite.com.conf\n# Configure container routing, enable site, reload nginx\n```\n\n## 🔒 Security Features\n\n### Built-in Protection\n- ✅ HTTPS-only (automatic HTTP→HTTPS redirect)\n- ✅ HSTS with 2-year max-age\n- ✅ Modern TLS configuration (Mozilla Intermediate)\n- ✅ Security headers (X-Frame-Options, CSP, etc)\n- ✅ Rate limiting zones (API, general)\n- ✅ Dangerous file blocking (.git, .env, .htaccess)\n- ✅ Default servers catch invalid requests\n\n### Optional Enhancements\n- IP whitelisting for admin areas\n- Basic authentication\n- Client certificate authentication\n- ModSecurity WAF integration\n- Fail2ban integration\n\n## ⚡ Performance Features\n\n### Optimizations Included\n- ✅ HTTP/2 enabled\n- ✅ Gzip compression\n- ✅ Static file caching with immutable headers\n- ✅ Connection keepalive and pooling\n- ✅ Upstream keepalive connections\n- ✅ Sendfile and tcp_nopush enabled\n- ✅ Worker process tuning\n\n### Additional Optimizations\n- Proxy caching for dynamic content\n- FastCGI caching for PHP\n- Microcaching strategies\n- CDN integration\n\n## 🧪 Testing\n\n### Configuration Syntax\n```bash\n# Test nginx configuration\nsudo nginx -t\n```\n\n### Site Functionality\n```bash\n# Test HTTP to HTTPS redirect\ncurl -I http://yoursite.com\n\n# Test HTTPS\ncurl -I https://yoursite.com\n\n# Test security headers\ncurl -I https://yoursite.com | grep -E \"(Strict-Transport|X-Frame|X-Content)\"\n\n# Test compression\ncurl -H \"Accept-Encoding: gzip\" -I https://yoursite.com\n```\n\n### Load Testing\n```bash\n# Apache Bench\nab -n 1000 -c 10 https://yoursite.com/\n\n# wrk\nwrk -t4 -c100 -d30s https://yoursite.com/\n```\n\n## 🛠 Customization\n\n### Adding a New Site\n1. Choose appropriate template from `sites-available/`\n2. Copy to new filename: `yoursite.com.conf`\n3. Edit: `server_name`, SSL paths, backend upstreams\n4. Create security headers: `sites-security/yoursite.com.conf` (if needed)\n5. Obtain SSL certificate with certbot\n6. Create symlink: `ln -s ../sites-available/yoursite.com.conf sites-enabled/`\n7. Test: `nginx -t`\n8. Reload: `nginx -s reload`\n\n### Modifying Global Settings\n- **Performance**: Edit `conf.d/performance.conf`\n- **Security**: Edit `conf.d/security.conf`\n- **TLS**: Edit `conf.d/tls-intermediate.conf`\n- **Logging**: Edit `conf.d/logformat.conf`\n\nChanges to `conf.d/` affect ALL sites.\n\n### Creating Reusable Snippets\nPlace in `snippets/` and include in location blocks:\n```nginx\nlocation /api/ {\n    include snippets/proxy-headers.conf;\n    include snippets/rate-limiting.conf;\n    proxy_pass http://backend;\n}\n```\n\n## 📊 Monitoring\n\n### Health Checks\n```bash\n# Nginx status (localhost only)\ncurl http://localhost/nginx-status\n\n# Backend health\ncurl https://yoursite.com/health\n```\n\n### Log Analysis\n```bash\n# Watch access logs\nsudo tail -f /var/log/nginx/access.log\n\n# Watch error logs\nsudo tail -f /var/log/nginx/error.log\n\n# Check for errors\nsudo grep -E \"error|warn\" /var/log/nginx/error.log\n```\n\n### Integration\n- Prometheus + nginx-prometheus-exporter\n- Grafana dashboards\n- ELK stack (Elasticsearch, Logstash, Kibana)\n- Custom monitoring scripts\n\n## 🐛 Troubleshooting\n\n### Configuration Errors\n```bash\n# Test syntax\nsudo nginx -t\n\n# Check error log\nsudo tail -50 /var/log/nginx/error.log\n```\n\n### SSL/TLS Issues\n```bash\n# Verify certificate\nsudo openssl x509 -in /etc/letsencrypt/live/yoursite.com/cert.pem -noout -dates\n\n# Test SSL connection\nopenssl s_client -connect yoursite.com:443 -servername yoursite.com\n```\n\n### Permission Issues\n```bash\n# Check nginx user\nps aux | grep nginx\n\n# Fix permissions\nsudo chown -R nginx:nginx /var/www/yoursite\nsudo chmod -R 755 /var/www/yoursite\n```\n\n### Backend Connection Issues\n```bash\n# Test backend directly\ncurl -I http://127.0.0.1:3000\n\n# Check firewall\nsudo ufw status\n\n# Check SELinux (CentOS/RHEL)\nsudo setsebool -P httpd_can_network_connect 1\n```\n\n## 🔄 Updates and Maintenance\n\n### Reloading Configuration\n```bash\n# Graceful reload (no downtime)\nsudo nginx -s reload\n\n# Restart (brief downtime)\nsudo systemctl restart nginx\n```\n\n### Renewing SSL Certificates\n```bash\n# Certbot automatic renewal (runs via cron/systemd timer)\nsudo certbot renew\n\n# Manual renewal\nsudo certbot renew --force-renewal\n\n# Test renewal process\nsudo certbot renew --dry-run\n```\n\n### Updating Nginx\n```bash\n# Ubuntu/Debian\nsudo apt update \u0026\u0026 sudo apt upgrade nginx\n\n# CentOS/RHEL\nsudo yum update nginx\n\n# After update, test and reload\nsudo nginx -t \u0026\u0026 sudo systemctl reload nginx\n```\n\n## 📖 Architecture Philosophy\n\nThis configuration follows these principles:\n\n1. **Security by Default** - HTTPS everywhere, secure headers, rate limiting\n2. **Separation of Concerns** - Global configs, site configs, security headers in separate files\n3. **DRY (Don't Repeat Yourself)** - Reusable snippets for common patterns\n4. **Explicit Over Implicit** - Clear configuration over magic defaults\n5. **Performance Minded** - Optimized but not over-optimized\n6. **Production Ready** - Tested patterns suitable for real-world use\n\n### Configuration Hierarchy\n```\nnginx.conf (main)\n  ↓\nconf.d/* (global HTTP-level settings)\n  ↓\nsites-enabled/* (site-specific servers)\n  ↓\nsnippets/* (reusable location blocks)\n```\n\n## 🤝 Contributing\n\nIssues and pull requests welcome! Please ensure:\n- Configuration tested with `nginx -t`\n- Documentation updated\n- Security best practices followed\n- Comments explain \"why\" not just \"what\"\n\n## 📄 License\n\nMIT License - Use freely in personal and commercial projects\n\n## 🙏 Credits\n\nBuilt on nginx best practices from:\n- [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)\n- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)\n- [Nginx documentation](https://nginx.org/en/docs/)\n\n---\n\n**Need help?** Check the [documentation](docs/) or open an issue on GitHub.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flasseh%2Fnginx-conf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flasseh%2Fnginx-conf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flasseh%2Fnginx-conf/lists"}