Docs / Web Servers / Nginx Configuration Best Practices

Nginx Configuration Best Practices

By Admin · Mar 3, 2026 · Updated Apr 23, 2026 · 84 views · 2 min read

Configuration Structure

/etc/nginx/
├── nginx.conf              # Main config
├── sites-available/        # All site configs
├── sites-enabled/          # Symlinks to active configs
├── conf.d/                 # Additional configs
└── snippets/               # Reusable config fragments

Main Config Tuning

# /etc/nginx/nginx.conf
worker_processes auto;           # Match CPU cores
worker_rlimit_nofile 65535;

events {
    worker_connections 4096;     # Per worker
    multi_accept on;
    use epoll;
}

http {
    # Basic
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096;

    # Buffers
    client_body_buffer_size 16k;
    client_max_body_size 50m;

    # Gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_types
        text/plain text/css application/json application/javascript
        text/xml application/xml text/javascript image/svg+xml;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Security Headers

# /etc/nginx/snippets/security-headers.conf
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Usage:

server {
    include snippets/security-headers.conf;
}

SSL Configuration

# /etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

Rate Limiting

# Define zones in http block
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        proxy_pass http://backend;
    }

    location /login {
        limit_req zone=login burst=3;
        proxy_pass http://backend;
    }
}

Static File Serving

location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2|svg)$ {
    expires 30d;
    add_header Cache-Control "public, immutable";
    access_log off;
}

Testing and Reloading

# Always test before reloading
sudo nginx -t

# Reload (zero-downtime)
sudo systemctl reload nginx

# View active connections
sudo nginx -T | head -20

Tip Use nginx -T (capital T) to dump the entire resolved configuration — great for debugging which config file a directive comes from.

Was this article helpful?

Related Articles