Common Configs
Here are some common Nginx configuration snippets for reverse proxy scenarios and configurations for some well known web applications.
Usage
- Each example can be placed inside a server block within
/etc/nginx/sites-available/and symlinked to/etc/nginx/sites-enabled/. For example to enable an existing Nginx configuration called/etc/nginx/sites-available/auth.aadya.tech - If required, ensure SSL certificates are already present on the reverse proxy instance with the appropriate permissions.
- Test the configuration and then reload Nginx for changes to be applied.
Info
nginx -s reload sends a HUP signal instructing Nginx to reload the configuration without restarting Nginx.
systemctl restart nginx also works, but it will restart Nginx service resulting in a few seconds of downtime.
Generic Nginx Configurations
Basic HTTP Reverse Proxy
Forwards requests to a single backend.
This example proxies incoming requests for aadya.tech to an internal web server at http://10.12.20.21:8080.
server {
listen 80;
server_name aadya.tech;
location / {
proxy_pass http://10.12.20.21:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
HTTPS with Redirect
Terminate TLS at Nginx and redirect port 80 to HTTPS.
This example first redirects http request to https and then proxies incoming requests for aadya.tech to an internal web server at http://10.12.20.21:8080. SSL certificate must be installed on the Nginx instance for this configuration.
server {
listen 80;
server_name aadya.tech;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name aadya.tech;
ssl_certificate /etc/ssl/certs/aadya.tech.crt;
ssl_certificate_key /etc/ssl/private/aadya.tech.key;
location / {
proxy_pass http://10.12.20.21:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Load Balancing (Round-Robin)
Distribute traffic across multiple app servers.
This example proxies incoming requests for aadya.tech to two internal web servers at http://10.12.20.21:8080 and http://10.12.20.22:8080 in a round-robin fashion.
upstream backend_pool {
server 10.12.20.21:8080;
server 10.12.20.22:8080;
keepalive 16;
}
server {
listen 80;
server_name app.aadya.tech;
location / {
proxy_pass http://backend_pool;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Application Specific Configs
Vaultwarden
upstream vaultwarden {
zone vaultwarden 64k;
server 10.12.20.51:8000;
keepalive 2;
}
# Enable Websocket Support
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vault.aadya.tech;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vault.aadya.tech;
# SSL Configuration
ssl_certificate /etc/ssl/certs/aadya.tech.crt;
ssl_certificate_key /etc/ssl/private/aadya.tech.key;
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden;
}
}