Configuring High‑Performance Static Sites with Nginx: Caching, Gzip, CORS and Anti‑Hotlinking
This article explains how to configure Nginx for high‑performance static websites by setting up proper caching, gzip compression, cross‑origin resource sharing and anti‑hotlinking rules, and also includes a brief promotional segment for AI‑related products and services.
Overview – The author summarizes four practical Nginx settings—cache, gzip, CORS and anti‑hotlinking—encountered during production, aiming to help readers improve site performance and security.
Cache – By configuring appropriate cache headers (Expires and Cache‑Control) browsers can reuse resources, reducing latency. Example configuration:
location ~* \.(jpg|jpeg|png|gif)$ {
expires 30d;
}The article explains the cache workflow: first request, server response with cache headers, subsequent requests check local cache, validate expiration (Expires) and validation tokens (ETag, Last‑Modified), and either serve from cache (304) or fetch fresh data.
Cache Header Details – Cache‑Control overrides Expires . Positive values (e.g., max-age=86400 ) enable strong caching, while no‑cache forces revalidation.
Gzip Module – Enabling gzip reduces response size and speeds up page loads. Sample configuration:
location ~ .*(jpg|gif|png|js)$ {
gzip on;
gzip_http_version 1.1;
gzip_comp_level 2; # 1‑9, higher = more compression
gzip_types text/plain application/javascript text/css application/xml image/jpeg image/gif image/png;
}CORS and Anti‑Hotlinking – To allow legitimate cross‑origin requests and prevent unauthorized use of static assets, the article shows how to add appropriate Access‑Control‑Allow‑Origin , Access‑Control‑Allow‑Methods , and Access‑Control‑Allow‑Headers headers, as well as how to validate the Referer header to block hotlinking.
server {
listen 80;
server_name www.stark.com;
location / {
add_header 'Access-Control-Allow-Origin' 'http://stark1.com https://stark2.com';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
}
server {
listen 80;
server_name yourdomain.com;
location / {
root /path/to/your/files;
valid_referers none blocked server_names *.yourdomain.com;
if ($invalid_referer) { return 403; }
}
}These settings ensure that only authorized domains can request resources and that hotlinking attempts are rejected.
Promotional Section – The latter part of the article advertises a paid AI product bundle (DeepSeek scenario collection, ChatGPT accounts, tutorials, etc.) with pricing details, discount coupons, and links to join a community. While promotional, it is clearly separated from the technical tutorial.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.