BestHub
Sign in
Operations 8 min read

Master NGINX Config: Visual Generator, Features, and Full Sample Configurations

This article introduces the NGINX Config visual generator, outlines its key features such as high‑performance static handling, reverse proxy, load balancing, and security options, and provides complete example configuration files with detailed code snippets for main, site, PHP, and security settings.

Open Source Tech Hub
Open Source Tech Hub
Open Source Tech Hub
Master NGINX Config: Visual Generator, Features, and Full Sample Configurations

NGINX Config

NGINX Config is a powerful NGINX configuration file generator that claims to be the only tool needed to configure an NGINX server.

Project address: https://github.com/digitalocean/nginxconfig.io

NGINX Features

High‑efficiency static content handling : NGINX can serve a large number of static file requests with minimal resources.

Excellent reverse proxy capability : As a reverse proxy, NGINX balances backend server load, improving overall performance and stability.

Load balancing : By intelligently distributing client requests to different backend servers, NGINX prevents overload and increases service availability.

Built‑in caching : NGINX can cache request results, reducing backend load and speeding up responses.

Native SSL/TLS support : Handles encrypted HTTPS requests to ensure secure data transmission.

WebSocket support : Supports the WebSocket protocol required for real‑time web applications.

There are many features and corresponding configuration directives. You can study the NGINX documentation in depth, or use this tool to see how NGINX works, observe how your input affects the output, and generate optimal configurations for your specific use case (while you can also use the documentation).

NGINX Config Features

NGINX Config supports visual configuration of the following features:

HTTPS, HTTP/2, IPv6, certbot, HSTS, security request headers, SSL configuration, OCSP resolver, cache, gzip, brotli, fallback routing, reverse proxy, www/non‑www redirect, CDN, PHP (TCP/socket, WordPress, Drupal, Magento, Joomla), Node.js, Python (Django) servers, etc.

Site Configuration

Global Configuration

Using Configuration

Configuration Files

Main Configuration

/etc/nginx/nginx.conf

# Generated by nginxconfig.io
# See nginxconfig.txt for the configuration share link

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

# Load modules
include /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept on;
    worker_connections 65535;
}

http {
    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    types_hash_bucket_size 64;
    client_max_body_size 16M;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    # Logging
    access_log off;
    error_log /dev/null;

    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;

    # Load configs
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Secondary Configuration

/etc/nginx/sites-available/tinywan.com.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tinywan.com;
    set $base /var/www/tinywan.com;
    root $base/public;

    # SSL
    ssl_certificate /etc/letsencrypt/live/tinywan.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tinywan.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tinywan.com/chain.pem;

    # security
    include nginxconfig.io/security.conf;

    # logging
    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log /var/log/nginx/error.log warn;

    # index.php
    index index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # additional config
    include nginxconfig.io/general.conf;

    # handle .php
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        include nginxconfig.io/php_fastcgi.conf;
    }
}

# subdomains redirect
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name *.tinywan.com;

    # SSL
    ssl_certificate /etc/letsencrypt/live/tinywan.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tinywan.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tinywan.com/chain.pem;
    return 301 https://tinywan.com$request_uri;
}

# HTTP redirect
server {
    listen 80;
    listen [::]:80;
    server_name .tinywan.com;
    include nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://tinywan.com$request_uri;
    }
}

PHP Configuration

/etc/nginx/nginxconfig.io/php_fastcgi.conf

# 404
try_files $fastcgi_script_name =404;

# default fastcgi_params
include fastcgi_params;

# fastcgi settings
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";

Security Configuration

/etc/nginx/nginxconfig.io/security.conf

# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# .files
location ~ /\.(?!well-known) {
    deny all;
}
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

load balancingConfigurationSecurityreverse proxyWeb server
Open Source Tech Hub
Written by

Open Source Tech Hub

Sharing cutting-edge internet technologies and practical AI resources.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment