Modular Nginx config for modern, secure sites in 2018.
This project aims to be a modular Nginx config template to ease common tasks like proxying websites, redirecting URLs, (semi-automatically) signing Let's Encrypt, offloading SSL, etc.
We assume you are always using the newest mainline version of Nginx with at least the official sets of modules. Some new exciting features (http2, stream, etc.) are not supported on old versions (stable and/or distro packages).
Here is instruction for installing latest version of nginx.
Compatibility with other Nginx-derived projects (OpenResty, etc.) and 3rd party modules are not verifyed. If you have interest in verifying with/supporting them, contributions are welcomed.
If you already have production sites running on Nginx, don't do anything stupid. You should only take essential pieces from here and evaluate your own config on staging environment.
If you are starting with a clean Nginx installation without any custom config, you can directly replace your nginx config sketelon with this one:
# run as root rm -r /etc/nginx git clone https://github.com/Jamesits/oh-my-nginx.git /etc/nginx openssl dhparam -out /etc/ssl/dhparam.pem 4096
conf.d/*.confis where your HTTP/HTTPS config lives
stream.conf.d/*.confis for TCP proxy
There are various
examples/*.conf files in these two directory; you can use them as a start point (copy it to
stream.conf.d/ and rename them) and modify it to suit your needs. Basically you need to change these values:
server_nameto your domain (set up DNS to point to your server IP!)
proxy_passto your backend or what you want to proxy from
ssl_certificate_keyto your SSL key file (If you use certbot then you may only need to edit
Semi-automatic Let's Encrypt signing
We implemented a semi-automatic LE signing method with no service disruption during signing process. To use this you need autocert.
Detailed documentation is on its way. Check back later.
If you think this is helpful, please consider buy me a coffee.
This config template is originated from a production server (One of my load balancers running Ubuntu 16.04). They are based on the official config template of Nginx 1.12.
Some fossil versions of Nginx uses a different directory structure:
/etc/nginx/sites-available/*.confto store all sites configuration;
/etc/nginx/sites-enabled/*.confare symlinks from
sites-availableand they are actually included in the main config.
We do not use this structure anymore, and
conf.d/ works exactly the same like
sites-enabled/ (though without the symlinks). If you want to temporary disable a config just append a
.disabled on its name (other suffixes are fine as long as the last part of the file name is not