Proxy headers
Custom upstream blocks
No custom upstreams configured. Click "Add upstream" to add one.
Options
server {
listen 80;
server_name example.com;
# Logging
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
# Gzip
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}What is Nginx Config Generator?
Nginx is one of the most popular web servers and reverse proxies in the world, used by high-traffic sites and as the default proxy layer in Docker, Kubernetes, and cloud deployments. Writing a correct Nginx config requires memorizing the exact directive syntax, indentation rules, and common pitfalls — this generator produces production-ready configs for the most common use cases including static sites, reverse proxies, load balancers, redirects, and SSL/TLS hardening.
How to Use
- Select the config type: Static Site, Reverse Proxy, Load Balancer, Redirect, or SSL/TLS.
- Enter your domain name and port (or enable SSL for HTTPS).
- Fill in the type-specific options (proxy target, upstream servers, redirect URL, SSL settings, etc.).
- Enable optional features: gzip compression, rate limiting, www redirect, WebSocket support.
- Copy the generated config and save it to /etc/nginx/sites-available/your-domain.
Why Use This Tool?
Tips & Best Practices
- After saving the config, run `nginx -t` to validate before reloading
- Enable the site with: ln -s /etc/nginx/sites-available/your.conf /etc/nginx/sites-enabled/
- For SSL, use Certbot (Let's Encrypt): certbot --nginx -d yourdomain.com
- The www redirect option adds a separate server block that redirects www.domain to domain
- Rate limiting requires placing the limit_req_zone directive in the http{} block of nginx.conf, not in the server block
- For WebSocket support, make sure your upstream application handles the Upgrade header correctly
- The Mozilla Intermediate profile is recommended for most production sites — it balances security and compatibility
Frequently Asked Questions
Where do I put the generated config file?
On Ubuntu/Debian with the default Nginx package: save to /etc/nginx/sites-available/your-domain.conf, then create a symlink to /etc/nginx/sites-enabled/. On CentOS/RHEL: save directly to /etc/nginx/conf.d/your-domain.conf. Run `nginx -t && systemctl reload nginx` after.
What is the difference between reverse proxy and load balancer?
A reverse proxy forwards traffic from the internet to a single backend application server. A load balancer distributes traffic across multiple backend servers (defined in an upstream block) to improve availability and throughput. Both use proxy_pass internally, but the load balancer uses a named upstream group instead of a direct URL.
Do I need to install anything extra for SSL?
The config assumes you have certificate files (PEM format). The easiest way to get free SSL certificates is Certbot (Let's Encrypt). Run: certbot --nginx -d yourdomain.com and Certbot will install and auto-renew certificates, and can also modify your Nginx config automatically.
What are the X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto headers?
These headers pass client information through the proxy. X-Real-IP carries the original client IP address. X-Forwarded-For is a de-facto standard that lists the client IP and any intermediate proxies. X-Forwarded-Proto tells the backend whether the original request was HTTP or HTTPS, which is needed for generating correct redirect URLs and setting secure cookies.
When should I enable WebSocket support?
Enable WebSocket support when your backend application uses WebSocket connections (e.g., Socket.io, real-time chat, live updates). The Upgrade and Connection headers allow Nginx to properly hand off persistent WebSocket connections to the backend. Without these headers, WebSocket connections will fail with a 400 error.
What is the Mozilla SSL profile and which one should I use?
Mozilla provides three SSL configuration profiles: Modern (TLS 1.3 only, strongest security, requires recent browsers), Intermediate (TLS 1.2+1.3, recommended for most sites, works with all modern browsers), and Old (TLS 1.0-1.3, maximum compatibility for very old clients). For most production sites, use the Intermediate profile.
What is OCSP stapling and should I enable it?
OCSP stapling allows the server to attach a cached OCSP response to the TLS handshake, so the client doesn't need to contact the certificate authority separately. This reduces SSL handshake latency by eliminating an extra round-trip. You should enable it for production sites — it improves performance and privacy. Make sure your DNS resolver is configured correctly (the generator includes Cloudflare and Google resolvers).
What is HSTS and what max-age should I use?
HSTS (HTTP Strict Transport Security) tells browsers to only connect via HTTPS for a specified duration. Start with a short max-age (e.g., 300 = 5 minutes) to test, then increase to 31536000 (1 year) once confirmed working. The includeSubDomains flag applies the rule to all subdomains. Be careful: once set, browsers will refuse HTTP connections for the entire max-age period.
How do custom upstream blocks work in reverse proxy mode?
Custom upstream blocks let you define named backend groups that you can reference in location blocks. For example, an upstream named "api" with address "127.0.0.1:4000" creates an upstream block and a corresponding location /api/ block that proxies to it. This is useful when different paths need to route to different backend services.