NGINX cheat sheet
Basics
Configuration directories:
ls /etc/nginx/sites-available
ls /etc/nginx/sites-enabled
cd /etc/nginx/sites-available
cd /etc/nginx/sites-enabled
Setup new site
1. Create a new site in sites-available:
sudo nano /etc/nginx/sites-available/example.com
2. Validate Configs:
sudo nginx -t
3. Enable site by creating a symlink to sites-enabled:
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
4. Reload NGINX:
sudo systemctl reload nginx
Setup with SSL
1. Install certbot and Nginx plugin temporarily:
sudo apt-get install certbot python3-certbot-nginx
2. Set up your basic Nginx configuration
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:9093;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
3. Run certbot to generate a cert:
sudo certbot --nginx -d example.com
Templates
Proxy pass template
server {
listen 443 ssl;
listen [::]:443 ssl;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/letsencrypt.conf;
server_name example.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:8987;
}
}
Web socket Proxy pass template
server {
server_name example.com;
listen 7070 ssl;
listen [::]:7070 ssl;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
location / {
proxy_pass http://127.0.0.1:7077;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Generating a cert with Lets Encrypt
Use the following NGINX template before generating the cert:
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name example.com;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
proxy_pass http://127.0.0.1:8084;
}
}
Generate the cert:
certbot certonly --webroot --agree-tos --no-eff-email --email letsencrypt@vsi.systems -w /var/www/letsencrypt -d example.com
Wildcard cert (expects wildcard domain e.g. *.mysites.com):
certbot certonly --manual --agree-tos --no-eff-email --preferred-challenges=dns --email letsencrypt@vsi.systems -w /var/www/letsencrypt -d example.com
Renew
certbot --nginx certonly -n -d example.com
or
certbot renew
Remember to reload nginx after a cert update.
Static HTML
/var/www/html
nano /etc/nginx/sites-available/example.com
Logs
Default Logs locations:
/var/log/nginx/access.log
/var/log/nginx/error.log