NGINX Setup and Configuration Tips
NGINX is a popular web server used to support websites and applications. In this blog, we go over the basics of NGINX setup and configuration, as well as some recommended best practices, tips, and resources.
Brief Overview of NGINX
NGINX is a fast and compact modular TCP/UDP server with HTTP, forward proxy, reverse proxy, load balancer and many other modules and roles. It was created by Igor Sysoev and publicly released in 2004. NGINX is free and open-source software, released under the terms of the 2-clause BSD license.
The software is considered among the best-in-class web server and application delivery solutions used by high‑traffic websites such as Dropbox, Netflix, and Zynga. Today, more than 350 million websites worldwide rely on it to deliver content in a fast, secure and reliable manner.Back to top
NGINX Setup and Installation
NGINX can be installed from a pre-built RPM or DEB packages or built from source. Building from source allows for more flexibility in versions and modules.
Building from source with the required modules offers tailored functionality, which decreases the attack surface and granular choice of required modules for the server to perform its role. For example, to include TLS 1.3, HTTP/3, and QUIC support or image manipulation modules.Back to top
How to Configure NGINX
NGINX configuration is a series of directives that control the modules. The directives are placed in a context; with the events and http directives residing in the main context. The server in http, and location in server context. Many other directives are context and module specific.
NGINX configuration supports many
variables for dynamic configuration.
The NGINX Configuration File
By default, NGINX uses the /etc/NGINX/NGINX.conf file and conf.d sub-directories. Or additionally defined by the
The configuration file path can be altered and specified during the NGINX build process using
To see all the currently loaded configuration files and directives, you can run the
NGINX -T command.
NGINX Proxy Configuration
NGINX includes proxy server modules, which allow it to receive requests and forward on to the next node; returning the returned content. Beyond the simple use case, this can be used for TLS termination or HTTP protocol switching, as well as separate content to be loaded from different locations or servers.
proxy_pass directive is used to forward the requests received on the
listen port and
The proxy module offers a large number of directives to configure behavior, caches, and headers. You can see examples from NGINX here.
NGINX Fast CGI Configuration
NGINX is able to route requests to FastCGI servers running any number of backend frameworks and applications.
fastcgi_pass directive is used to pass incoming client requests to the downstream application.
A common technique used together with the FastCGI processing is to split responses between dynamic and static content (image files). A more advanced performance tuning technique, depending on the FastCGI application, is dynamic content microcaching.
Examples for dynamic content caching include articles that don’t change often, RSS feeds, slow moving counters, date information, help content, etc.
The FastCGI microcaching is declared using the
fastcgi_cache_path directive and path. You can learn more about FastCGI microcaching from NGINX here.
NGINX MIME Type Configuration
The mime.types config file maps the common content types to extensions. Without including the mime.types configuration or defining the content type, the returned content type will be text/plain. This would break CSS, JS, etc.
Pre-Built Configuration Templates and Examples
Template and examples can be used as a quick starting point to begin configuration iteration, implementation, and testing. NGINX provides the following:Back to top
The NGINX Configuration Validator
NGINX includes a configuration file validation command
You can also print the currently loaded configuration using
NGINX -T. (NOTE: The first one has a lower case “t” while the second uses a capital case “T”.)
After changing a configuration file, the new configuration can be hot reloaded by the worker processes with the
NGINX -s reload command.
Back to top
Need NGINX Support?
Our open source experts have years of experience working with NGINX. We can help.
NGINX Configuration Best Practices
There are several best practices that we recommend:
Logging allows for troubleshooting, monitoring, and server observability. You'll be able to use metrics such as $request_time, $upstream_connect_time, $upstream_header_time, $upstream_response_time to HTTP codes, and more.
Depending on your risk profile, centralized logs can also provide anomaly analysis or historical graphs across applications.
Configuration can either be developed from scratch in an iterative process or a known good configuration can be copied from examples and an organization’s SDLC repository. If the configuration file is not already part of a maturity process, then it can be added to it.
Focus on Security
In addition to the well documented OWASP web service security guidelines, we recommend not neglecting host Mandatory Access Control such as SELinux or AppArmor. This applies to Linux Operating Systems.
When using TLS, it is recommended to build NGINX with the latest version of OpenSSL, opt for the latest TLS protocol version(s) and enable the
ssl_prefer_server_ciphers directive. Configure a list of known good ciphers that are compatible with the expected client applications or libraries.
Document Along the Way
Change and version control for known secure configuration should include confidentiality and availability. Settings which seem more secure in terms of hardening may cause more CPU load and a drop in server performance. This is where an iteration can be rolled back or revised.
This enables configuration maturity as a process, from ad hoc, consistent/reproducible, metered, and improved.
Other NGINX Configuration Best Practices to Consider
In addition to the common web server and proxy server use cases, NGINX can be used for HTTP protocol switching or TLS termination.
With the development of QUIC and HTTP/3 protocols, NGINX can be used as a protocol switch. For example, taking advantage of the QUIC and HTTP/3 protocols on one network segment and switching to or from HTTP 1.1 for compatibility.Back to top
NGINX is a fast, resource-efficient web and proxy server with many modules. That said, it may not meet every possible need out of the box, and in complex use cases may require (Regex, LUA) scripting. In such cases, Apache HTTP and its modules may be a simpler way to achieve the required results.
Need Help with NGINX?
OpenLogic NGINX experts are ready to provide technical support and professional services to help you manage NGINX in your organization.
- Blog - Apache HTTP Server Overview
- Blog - Web Server Security Best Practices
- Blog - Web Server vs. Application Server: What's the Difference?
- Blog - Tomcat vs. NGINX
- Blog - Top 5 Takeaways From the 2023 State of Open Source Report
- On-Demand Webinar - The State of Open Source Web App Development
- Course - NGINX Training
- Guide - Open Source in the Enterprise
Back to top