Nginx Configuration

Static serving, reverse proxy, SSL, gzip, caching headers, rate limiting.
nginxdevopsbackend
# Nginx Configuration

## Structure
```
/etc/nginx/
  nginx.conf          # main config
  conf.d/             # included site configs
  sites-available/    # Debian/Ubuntu
  sites-enabled/      # symlinks to active sites
```

## Static file server
```nginx
server {
  listen 80;
  server_name example.com;
  root /var/www/html;
  index index.html;

  # SPA fallback
  location / {
    try_files $uri $uri/ /index.html;
  }

  # Cache static assets
  location ~* \.(js|css|png|jpg|ico|woff2)$ {
    expires 1y;
    add_header Cache-Control "public, immutable";
  }
}
```

## Reverse proxy
```nginx
upstream api {
  server 127.0.0.1:3000;
  server 127.0.0.1:3001;  # load balance
  keepalive 32;
}

server {
  listen 80;
  server_name api.example.com;

  location / {
    proxy_pass http://api;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_cache_bypass $http_upgrade;
  }
}
```

## SSL with Let's Encrypt (Certbot)
```bash
certbot --nginx -d example.com -d www.example.com
```
```nginx
server {
  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  add_header Strict-Transport-Security "max-age=63072000" always;
}
# Redirect HTTP -> HTTPS
server {
  listen 80;
  return 301 https://$host$request_uri;
}
```

## Gzip compression
```nginx
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;
```

## Rate limiting
```nginx
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

location /api/ {
  limit_req zone=api burst=20 nodelay;
  proxy_pass http://api;
}
```

## Security headers
```nginx
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
```

## Useful commands
```bash
nginx -t          # test config
nginx -s reload   # reload without downtime
systemctl reload nginx
nginx -s stop
```
API: /api/skills/nginx-config