Skip to content
An Nginx virtual host configuration for Craft CMS that implements a number of best-practices.
Branch: master
Clone or download
Pull request Compare This branch is 77 commits behind nystudio107:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


An Nginx virtual host configuration for Craft CMS that implements a number of best-practices.


What it handles

The Nginx-Craft configuration handles:

  • Redirecting from HTTP to HTTPS
  • Canonical domain rewrites from to
  • 301 Redirect URLs with trailing /'s as per
  • Setting PATH_INFO properly via php-fpm -> PHP
  • "Far-future" Expires headers
  • Adding XSS and other security headers
  • Gzip compression
  • Filename-based cache busting for static resources
  • IPv4 and IPv6 support
  • http2 support
  • Reasonable SSL cipher suites and TLS protocols
  • Localized sites

Assumptions made

The following are assumptions made in this configuration:

  • The site is https
  • The SSL certificate is from
  • The canonical domain is (no www.)
  • Nginx is version 1.9.5 or later (and thus supports http2)
  • Paths are standard Ubuntu, change as needed
  • You're using php7 via php-fpm
  • You have 'omitScriptNameInUrls' => true, in your craft/general.php

If any of these assumptions are invalid, make the appropriate changes.

What's included

This Nginx configuration comes in two parts:

  • sites-available/ - an Nginx virtual host configuration file tailored for Craft CMS; it will require some minor customization for your domain
  • nginx-partials - some Nginx configuration partials used by all of the virtual hosts, logically segregated. These don't need to be changed, but can be selectively disabled by changing the suffix to .off (or anything other than .conf)

Using Nginx-Craft

  1. Obtain an SSL certificate for your domain via (or via other certificate authorities). is free, and it's automated. You will need a basic server up and running that responds to port 80 to do this, LetsEnecrypt/Nginx tutorial
  2. Create a dhparam.pem via sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  3. Upload the entire nginx-partials folder to /etc/nginx/
  4. Rename the file to
  5. Do a search & replace in to change SOMEDOMAIN -> yourdomain
  6. Tweak any paths that may need changing on your server
  7. Restart nginx via sudo nginx -s reload

If you're using Forge, it takes care of a number of these things for you, but still needs tuning. Use the file as a guide, making sure to not change any of the directives labeled # FORGE CONFIG (DOT NOT REMOVE!) in your existing .conf file.

The same applies for CloudWays, ServerPilot, Homestead, MAMP, etc.

Forge & opcache

N.B.: Forge now has opcache functionality baked-in, you can enable it via the Server settings, so this information is largely deprecated.

If you're using Forge, understand that opcache is off by default. To enable it, go to your server in Forge, click on Edit Files and choose Edit PHP FPM Configuration and search on opcache. Here are the defaults I use; tweak them to suit your needs:

; Determines if Zend OPCache is enabled

; Determines if Zend OPCache is enabled for the CLI version of PHP

; The OPcache shared memory storage size.

; The amount of memory for interned strings in Mbytes.

; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 100000 are allowed.

; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.

More about tweaking opcache can be found in the Fine-Tune Your Opcache Configuration to Avoid Caching Suprises article. The Best Zend OpCache Settings/Tuning/Config article is very useful as well.


If you encounter a problem where large asset uploads fail, despite memory_limit, post_max_size and upload_max_filesize being set properly in your php.ini, you may need to add the following to the http {} block of the main nginx.conf:

client_max_body_size 20M;

Brought to you by nystudio107

You can’t perform that action at this time.