configure-nginx
About
This skill configures Nginx as a production-ready web server and reverse proxy, handling static file serving, SSL/TLS termination with Let's Encrypt, and load balancing to upstream services. It's used for proxying to backends like Node.js or Python apps, hardening endpoints with security headers, and implementing rate limiting. Developers should use it when deploying web applications that require a secure, performant gateway.
Quick Install
Claude Code
Recommendednpx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/configure-nginxCopy and paste this command in Claude Code to install this skill
Documentation
Configure Nginx
Set up Nginx as web server and reverse proxy with SSL termination, security hardening.
When Use
- Serving static files (HTML, CSS, JS) in production
- Reverse proxying to backend services (Node.js, Python, Go, R/Shiny)
- Terminating SSL/TLS with Let's Encrypt certificates
- Load balancing across multiple backend instances
- Adding rate limiting, security headers
Inputs
- Required: Deployment target (Docker container or bare metal)
- Required: Backend service(s) to proxy (host:port)
- Optional: Domain name for SSL
- Optional: Static file directory
Steps
Step 1: Basic Reverse Proxy
nginx.conf:
events {
worker_connections 1024;
}
http {
upstream app {
server app:3000;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Docker Compose service:
services:
nginx:
image: nginx:1.27-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- app
Got: Requests to port 80 forwarded to app service.
Step 2: Static File Serving
server {
listen 80;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /assets/ {
expires 1y;
add_header Cache-Control "public, immutable";
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
expires 6M;
add_header Cache-Control "public";
}
}
Step 3: SSL/TLS with Let's Encrypt
Using certbot with webroot method:
server {
listen 80;
server_name example.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Docker Compose with certbot:
services:
nginx:
image: nginx:1.27-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- certbot-webroot:/var/www/certbot:ro
- certbot-certs:/etc/letsencrypt:ro
certbot:
image: certbot/certbot
volumes:
- certbot-webroot:/var/www/certbot
- certbot-certs:/etc/letsencrypt
volumes:
certbot-webroot:
certbot-certs:
Initial certificate:
docker compose run --rm certbot certonly \
--webroot -w /var/www/certbot \
-d example.com --email [email protected] --agree-tos
Got: HTTPS works with valid Let's Encrypt certificate.
If fail: Check DNS points to server. Verify port 80 open for ACME challenges.
Step 4: Security Headers
server {
# ... SSL config above ...
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
# Hide Nginx version
server_tokens off;
}
Step 5: Rate Limiting
http {
# Define rate limit zones
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://app;
}
location /login {
limit_req zone=login burst=5;
proxy_pass http://app;
}
}
}
Step 6: Load Balancing
upstream app {
least_conn;
server app1:3000;
server app2:3000;
server app3:3000 backup;
}
| Method | Directive | Behavior |
|---|---|---|
| Round robin | (default) | Equal distribution |
| Least connections | least_conn | Routes to least busy |
| IP hash | ip_hash | Sticky sessions |
| Weighted | server app:3000 weight=3 | Proportional |
Step 7: Test Configuration
# Test config syntax
docker compose exec nginx nginx -t
# Reload without downtime
docker compose exec nginx nginx -s reload
# Check response headers
curl -I https://example.com
Got: nginx -t reports syntax OK. Headers include security headers.
Checks
-
nginx -treports configuration valid - HTTP redirects to HTTPS (if SSL enabled)
- Backend service reachable through proxy
- Security headers present in response
- Rate limiting triggers on excessive requests
- SSL Labs test gives A+ rating (if public)
Pitfalls
- Missing
proxy_set_header Host: Backend receives wrong host header, breaking virtual hosts and redirects. locationorder matters: Nginx uses most specific match. Exact (=) > prefix (^~) > regex (~) > general prefix.- SSL certificate renewal: Set up cron or timer to run
certbot renew, reload Nginx. - Large request bodies: Default
client_max_body_sizeis 1MB. Increase for file uploads:client_max_body_size 50m;. - WebSocket proxying: Requires additional headers. See
configure-reverse-proxyfor pattern.
See Also
configure-reverse-proxy- multi-tool proxy patterns including WebSocket and Traefiksetup-compose-stack- compose stack that includes Nginxdeploy-searxng- uses Nginx as frontend for SearXNGconfigure-ingress-networking- Kubernetes ingress (NGINX Ingress Controller)
GitHub Repository
Related Skills
qmd
Developmentqmd is a local search and indexing CLI tool that enables developers to index and search through local files using hybrid search combining BM25, vector embeddings, and reranking. It supports both command-line usage and MCP (Model Context Protocol) mode for integration with Claude. The tool uses Ollama for embeddings and stores indexes locally, making it ideal for searching documentation or codebases directly from the terminal.
subagent-driven-development
DevelopmentThis skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.
mcporter
DevelopmentThe mcporter skill enables developers to manage and call Model Context Protocol (MCP) servers directly from Claude. It provides commands to list available servers, call their tools with arguments, and handle authentication and daemon lifecycle. Use this skill for integrating and testing MCP server functionality in your development workflow.
adk-deployment-specialist
DevelopmentThis skill deploys and orchestrates Vertex AI ADK agents using A2A protocol, managing AgentCard discovery, task submission, and supporting tools like Code Execution Sandbox and Memory Bank. It enables building multi-agent systems with sequential, parallel, or loop orchestration patterns in Python, Java, or Go. Use it when asked to deploy ADK agents or orchestrate agent workflows on Google Cloud.