MCP HubMCP Hub
返回技能列表

configure-nginx

pjt222
更新于 2 days ago
7 次查看
17
2
17
在 GitHub 上查看
开发general

关于

This skill provides configuration templates and guidance for setting up Nginx as a production-ready web server and reverse proxy. It covers static file serving, SSL/TLS termination with Let's Encrypt, load balancing, and security hardening like rate limiting and headers. Use it when you need to deploy or secure web applications, proxy to backend services, or manage traffic in a containerized environment.

快速安装

Claude Code

推荐
主要方式
npx skills add pjt222/agent-almanac -a claude-code
插件命令备选方式
/plugin add https://github.com/pjt222/agent-almanac
Git 克隆备选方式
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/configure-nginx

在 Claude Code 中复制并粘贴此命令以安装该技能

技能文档

Configure Nginx

Set up Nginx as a web server and reverse proxy with SSL termination and security hardening.

When to Use

  • Serving static files (HTML, CSS, JS) in production
  • Reverse proxying to backend services (Node.js, Python, Go, R/Shiny)
  • Terminating SSL/TLS with Let's Encrypt certificates
  • Load balancing across multiple backend instances
  • Adding rate limiting and security headers

Inputs

  • Required: Deployment target (Docker container or bare metal)
  • Required: Backend service(s) to proxy (host:port)
  • Optional: Domain name for SSL
  • Optional: Static file directory

Procedure

Step 1: Basic Reverse Proxy

nginx.conf:

events {
    worker_connections 1024;
}

http {
    upstream app {
        server app:3000;
    }

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://app;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Docker Compose service:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - app

Got: Requests to port 80 are forwarded to the app service.

Step 2: Static File Serving

server {
    listen 80;
    root /usr/share/nginx/html;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location /assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
        expires 6M;
        add_header Cache-Control "public";
    }
}

Step 3: SSL/TLS with Let's Encrypt

Using certbot with the webroot method:

server {
    listen 80;
    server_name example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://app;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Docker Compose with certbot:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - certbot-webroot:/var/www/certbot:ro
      - certbot-certs:/etc/letsencrypt:ro

  certbot:
    image: certbot/certbot
    volumes:
      - certbot-webroot:/var/www/certbot
      - certbot-certs:/etc/letsencrypt

volumes:
  certbot-webroot:
  certbot-certs:

Initial certificate:

docker compose run --rm certbot certonly \
  --webroot -w /var/www/certbot \
  -d example.com --email [email protected] --agree-tos

Got: HTTPS works with valid Let's Encrypt certificate.

If fail: Check DNS points to the server. Verify port 80 is open for ACME challenges.

Step 4: Security Headers

server {
    # ... SSL config above ...

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;

    # Hide Nginx version
    server_tokens off;
}

Step 5: Rate Limiting

http {
    # Define rate limit zones
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

    server {
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://app;
        }

        location /login {
            limit_req zone=login burst=5;
            proxy_pass http://app;
        }
    }
}

Step 6: Load Balancing

upstream app {
    least_conn;
    server app1:3000;
    server app2:3000;
    server app3:3000 backup;
}
MethodDirectiveBehavior
Round robin(default)Equal distribution
Least connectionsleast_connRoutes to least busy
IP haship_hashSticky sessions
Weightedserver app:3000 weight=3Proportional

Step 7: Test Configuration

# Test config syntax
docker compose exec nginx nginx -t

# Reload without downtime
docker compose exec nginx nginx -s reload

# Check response headers
curl -I https://example.com

Got: nginx -t reports syntax OK. Headers include security headers.

Validation

  • nginx -t reports configuration is valid
  • HTTP redirects to HTTPS (if SSL enabled)
  • Backend service is reachable through the proxy
  • Security headers present in response
  • Rate limiting triggers on excessive requests
  • SSL Labs test gives A+ rating (if public)

Pitfalls

  • Missing proxy_set_header Host: Backend receives wrong host header, breaking virtual hosts and redirects.
  • location order matters: Nginx uses the most specific match. Exact (=) > prefix (^~) > regex (~) > general prefix.
  • SSL certificate renewal: Set up a cron or timer to run certbot renew and reload Nginx.
  • Large request bodies: Default client_max_body_size is 1MB. Increase for file uploads: client_max_body_size 50m;.
  • WebSocket proxying: Requires additional headers. See configure-reverse-proxy for the pattern.

Related Skills

  • configure-reverse-proxy - multi-tool proxy patterns including WebSocket and Traefik
  • setup-compose-stack - compose stack that includes Nginx
  • deploy-searxng - uses Nginx as frontend for SearXNG
  • configure-ingress-networking - Kubernetes ingress (NGINX Ingress Controller)

GitHub 仓库

pjt222/agent-almanac
路径: i18n/caveman-lite/skills/configure-nginx
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

相关推荐技能

qmd

开发

这是一个本地搜索和索引的CLI工具,支持BM25、向量搜索和重排序功能。开发者可以用它快速索引本地文件(如Markdown文档)并进行混合搜索,特别适合代码库或文档的本地检索。它还提供MCP模式,能轻松集成到Claude开发环境中使用。

查看技能

subagent-driven-development

开发

该Skill用于在当前会话中执行包含独立任务的实施计划,它会为每个任务分派一个全新的子代理并在任务间进行代码审查。这种"全新子代理+任务间审查"的模式既能保障代码质量,又能实现快速迭代。适合需要在当前会话中连续执行独立任务,并希望在每个任务后都有质量把关的开发场景。

查看技能

mcporter

开发

mcporter Skill 让开发者能在Claude中直接管理和调用MCP服务器。它支持列出可用服务器、调用工具、处理OAuth认证以及管理服务器守护进程。开发者可以通过命令行式交互快速执行`mcporter list`查看服务器,或使用`mcporter call`直接调用工具,简化了MCP工作流程。

查看技能

adk-deployment-specialist

开发

这是一个用于部署和编排Google Vertex AI ADK智能体的Claude Skill,专为构建生产级多智能体系统而设计。它支持通过A2A协议进行智能体通信,提供代码执行沙箱和记忆库功能,并能处理智能体发现与任务提交。当开发者需要部署ADK智能体或编排多智能体协作时,可使用此Skill来简化Vertex AI Agent Engine的部署流程。

查看技能