glunty

Nginx Config Cheat Sheet

A searchable reference of common nginx config directives and what each one does.

Common nginx config directives with a plain-English description of what each one does
Directive What it does
server { ... } Define a virtual server that answers requests for a given set of names and ports.
listen 80; Accept plain HTTP connections on port 80 for this server block.
listen 443 ssl; Accept HTTPS connections on port 443 with TLS turned on.
listen [::]:80; Also accept connections over IPv6 on the given port.
server_name example.com www.example.com; Match this block to the listed host names from the request Host header.
server_name _; Use an invalid catch-all name so this block handles unmatched hosts.
root /var/www/html; Set the base directory that nginx serves files from for this block.
index index.html; Name the default file to serve when a directory is requested.
return 301 https://example.com$request_uri; Reply at once with a 301 redirect to the given target.
error_page 404 /404.html; Serve a custom page when a request results in a 404 error.
error_page 500 502 503 504 /50x.html; Serve one custom page for the common server error codes.
location /images/ { ... } Match any request path that begins with the given prefix.
location = /favicon.ico { ... } Match only the exact request path, the fastest match type.
location ~ \.php$ { ... } Match paths using a case-sensitive regular expression.
location ~* \.(jpg|png|css)$ { ... } Match paths using a case-insensitive regular expression.
location ^~ /static/ { ... } Take this prefix match and skip any regular expression checks.
try_files $uri $uri/ =404; Try each path in turn and return a 404 when none of them exist.
alias /var/www/assets/; Map the location to another directory, replacing the matched prefix.
internal; Allow only internal redirects to this location and block direct client access.
location / { ... } Match every request as the lowest priority prefix.
proxy_pass http://127.0.0.1:3000; Forward the request to the named backend server or upstream pool.
proxy_set_header Host $host; Pass the original Host header through to the backend.
proxy_set_header X-Real-IP $remote_addr; Send the real client IP address to the backend.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Append the client IP to the X-Forwarded-For header chain.
proxy_set_header X-Forwarded-Proto $scheme; Tell the backend whether the client used http or https.
proxy_read_timeout 60s; Set how long to wait for a response from the backend.
upstream backend { ... } Define a named pool of backend servers for load balancing.
proxy_redirect off; Stop nginx from rewriting Location and Refresh headers from the backend.
proxy_http_version 1.1; Use HTTP/1.1 to the backend, needed for keepalive and websockets.
ssl_certificate /etc/ssl/example.crt; Point to the file holding the server certificate and its chain.
ssl_certificate_key /etc/ssl/example.key; Point to the private key that matches the certificate.
ssl_protocols TLSv1.2 TLSv1.3; Allow only the listed TLS versions and reject older ones.
ssl_ciphers HIGH:!aNULL:!MD5; Set which cipher suites the server is willing to negotiate.
add_header Strict-Transport-Security "max-age=31536000" always; Send the HSTS header so browsers stay on HTTPS.
ssl_session_cache shared:SSL:10m; Cache TLS sessions across workers to speed up repeat handshakes.
ssl_prefer_server_ciphers on; Let the server choose the cipher order during the handshake.
return 301 https://$host$request_uri; In a port 80 block, redirect every request to its HTTPS URL.
gzip on; Turn on gzip compression for eligible responses.
gzip_types text/css application/javascript; List the extra MIME types to compress beyond plain HTML.
expires 30d; Set Expires and Cache-Control max-age headers for static assets.
add_header Cache-Control "public, max-age=3600"; Send an explicit caching policy to browsers and proxies.
sendfile on; Use the kernel sendfile call to serve static files efficiently.
client_max_body_size 20m; Set the largest request body, such as an upload, that nginx accepts.
keepalive_timeout 65; Set how long an idle keepalive connection stays open.
worker_processes auto; Run one worker per CPU core to use all available cores.
worker_connections 1024; Set the maximum simultaneous connections each worker can handle.
nginx -t Test the configuration for syntax errors without applying it.
nginx -s reload Reload the configuration gracefully without dropping connections.
nginx -s stop Stop nginx at once with a fast shutdown.
nginx -s quit Stop nginx gracefully after current requests finish.
systemctl restart nginx Restart the nginx service through systemd.
systemctl reload nginx Reload the config through systemd without a full restart.
nginx -V Print the version along with the build options and modules.
nginx -s reopen Reopen the log files, which is useful after log rotation.

Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.

What this tool does

This is a searchable quick reference for the nginx directives you reach for when writing a config, from defining a server and routing with location blocks to setting up a reverse proxy, enabling TLS, and tuning static-file performance. Each row pairs a directive with a plain-English note on what it does. Type in the filter box to search across both columns, or tap a category button to focus on one area. The whole list is built into the page, so it works offline and sends nothing anywhere.

How to use it

Start typing in the Filter box. Entering proxy surfaces the reverse-proxy directives; entering ssl shows the TLS settings; entering gzip or expires jumps to the performance options. The category buttons (Server, Location, Proxy, SSL, Performance, CLI) narrow the table to one area and combine with the text filter, so you can pick Location and type regex to zero in on the pattern-matching forms. Clear the box to see the full sheet again.

Common use cases

  • Recalling the exact directive for a task you do rarely, like an HTTP to HTTPS redirect or a cache header.
  • Copying a correct directive into your config instead of guessing the syntax.
  • Setting up a reverse proxy in front of a Node or Python app with the right forwarded headers.
  • Comparing the location match types (prefix, exact, and regex) before writing a rule.
  • Reviewing the core nginx config before an interview or a deployment.

Common pitfalls

  • Forgetting to reload after editing. Editing the config file changes nothing until you reload. Run nginx -t to validate, then nginx -s reload to apply it without dropping connections.
  • Confusing root and alias. With root the location path is appended to the root directory, while alias replaces the matched prefix entirely. Mixing them up leads to wrong file paths.
  • Location priority surprises. An exact = match wins first, then a ^~ prefix, then regex matches in file order, then the longest plain prefix. Assuming plain top-to-bottom order runs the wrong block.
  • Missing proxy headers. Without proxy_set_header lines for Host and X-Forwarded-For, your backend sees nginx as the client and logs the wrong IP and host.

Frequently asked questions

What is a server block?
A server block is the section of an nginx config that defines one virtual server: which ports it listens on, which host names it answers to, where its files live, and how it routes requests. You can have many server blocks in one config, and nginx picks the matching one based on the listen port and the Host header. It is the nginx equivalent of an Apache virtual host.
What does try_files do?
The try_files directive checks a list of paths in order and serves the first one that exists on disk. A common form is try_files $uri $uri/ =404, which looks for the exact file, then a matching directory, and returns a 404 if neither is found. Single-page apps often add a fallback to index.html so client-side routing works, and reverse proxies can fall back to a named location instead.
How do I set up a reverse proxy?
Inside a location block, point proxy_pass at your backend, for example proxy_pass http://127.0.0.1:3000. Then forward the important request details with proxy_set_header lines for Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto so the backend sees the real client and scheme. For websockets or keepalive, also set proxy_http_version 1.1, and define an upstream pool when you want to balance across several backends.
How do I redirect HTTP to HTTPS?
Keep a small server block that listens on port 80 and returns a permanent redirect, for example return 301 https://$host$request_uri. That sends every plain HTTP request to the matching HTTPS URL with a 301 status. Serve your real content from a second server block that listens on 443 ssl with your certificate and key configured.
How do I test and reload the config?
Run nginx -t first to validate the configuration and catch syntax errors before they take effect. If the test passes, apply the change with nginx -s reload or systemctl reload nginx, which loads the new config gracefully without dropping active connections. Avoid a full restart unless you changed something only a restart can pick up, such as the listen sockets.
Does this cheat sheet send my searches anywhere?
No. The entire directive list is baked into the page and every search and filter runs locally in your browser with JavaScript, so nothing you type leaves your device. Open your browser DevTools and watch the Network tab while you type to confirm there are zero requests.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com