Nginx Config Generator

Generate nginx server block configurations with SSL, gzip compression, security headers, rate limiting, and reverse proxy support. 100% client side.

Server Settings

Server Name (domain)

Listen Port

Root Path

Proxy Pass URL (optional)

Features

Generated Nginx Configuration

About Nginx Configuration

Nginx is a high-performance HTTP server and reverse proxy. Server blocks (similar to Apache virtual hosts) define how Nginx handles requests for specific domains.

Generated Config Includes

SSL/TLS: TLS 1.2/1.3, strong cipher suite, HSTS, OCSP stapling
Gzip: Compression for text, CSS, JS, JSON, XML, and more
Security Headers: X-Frame-Options, X-Content-Type-Options, XSS Protection, Referrer-Policy, CSP
Rate Limiting: Zone-based request limiting with burst handling
Static Assets: Cache-Control headers for images, CSS, JS, fonts

After Generating

Save to /etc/nginx/sites-available/
Symlink to /etc/nginx/sites-enabled/
Test with nginx -t before reloading
Reload with sudo systemctl reload nginx

Related Tools

SSL Checker - verify SSL certificate details
DNS Lookup - query DNS records
HTTP Status Codes - reference for HTTP codes
Chmod Calculator - file permission calculator

Nginx Configs That Don't Need a Senior to Review

Nginx is in front of most production web traffic in 2026 — load balancing, reverse-proxying, TLS termination, static asset serving, rate limiting, security headers. Its configuration language is terse and powerful, but small mistakes (a forgotten proxy_pass trailing slash, a missing SSLProtocol line) translate into outages or vulnerabilities. This generator builds the common patterns correctly so you can fork from a working baseline.

Patterns this tool emits

Reverse proxy with proper headers (X-Real-IP, X-Forwarded-For, X-Forwarded-Proto).
HTTPS redirect with HSTS preload-eligible headers.
TLS configuration with Mozilla "Modern" cipher list and HTTP/2.
Static file serving with cache-control, gzip/brotli, ETag.
Rate limiting with limit_req_zone.
WebSocket upgrade support (proxy_set_header Upgrade).
Security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).

The mistakes everyone makes once

Trailing slash on proxy_pass. proxy_pass http://backend; and proxy_pass http://backend/; behave differently. The slash strips the matched location prefix.
Forgetting proxy_set_header Host. Without it, the upstream sees Nginx's host, not the client's. Breaks virtual-hosted apps.
Not setting X-Forwarded-Proto. The upstream thinks every request is HTTP, even when the client used HTTPS. Causes mixed-content bugs and broken redirects.
Default client_max_body_size. 1 MB. Uploads above that get a 413 with no app log entry. Set explicitly.
Default proxy_buffer_size. Often too small for large auth headers or set-cookie flurries. proxy_buffers 8 16k; is a reasonable bump.
HTTP/2 without ALPN. Nginx ≥ 1.13.10 needs listen 443 ssl http2; and an ALPN-capable OpenSSL build.
Reusing worker_connections default. 512 is too low for any real traffic. 4096 or 8192 is more typical.

Security hygiene

Disable server_tokens so Nginx doesn't advertise its version.
Set ssl_protocols TLSv1.2 TLSv1.3; — drop everything older.
Set ssl_prefer_server_ciphers off; for TLS 1.3 (it's purely client-driven).
Add HSTS only after you're confident about HTTPS — it's a one-way commitment.
Rate-limit /api/login and other auth endpoints with limit_req_zone.

For broader infrastructure security, see our IAM permission boundaries guide.

Frequently Asked Questions

How do I redirect HTTP to HTTPS in Nginx?

Add a server block listening on port 80 with "return 301 https://$host$request_uri;" — keep the protocol-only redirect, not a directory mismatch.

What is the difference between proxy_pass http://backend; and proxy_pass http://backend/;?

Without trailing slash, the path matched by the location is appended to the upstream URL. With trailing slash, it is stripped.

Should I enable HTTP/3 / QUIC?

Yes if Nginx 1.25+ and your TLS library supports it. Substantial latency gains for mobile clients. Older versions: not safe to enable.

Why is my upload failing with 413 Request Entity Too Large?

The client_max_body_size default is 1 MB. Set it explicitly in your http or server block based on your upload requirements.