Optimizing Nginx Config for Your Website

In this guide I will present my Nginx optimization tips for your website or blog. Nginx is a free, open-source, high-performance HTTP server and reverse proxy, best known for its performance, stability, rich feature set, simple configuration, and low resource consumption.

Nginx Logo

My discussions below will be based on the actual Nginx config for this blog (view on GitHub). The focus will be on actual optimizations, instead of basic nginx.conf syntax. These are for your reference only, use at your own risk.

First, we add some headers to enable Clickjacking and XSS protection. Another useful one is HTTP Strict-Transport-Security (HSTS), which enforces secure connections for your website.

Next, we proceed to enable Gzip compression for the website's contents. An exception was made for IE 4~6 due to their issues with Gzip.

Set various buffer size limits and timeouts to prevent buffer overflow attacks and improve server performance. Tweak these parameters to your needs.

Configure Nginx log settings. In this example, $real_scheme is added to the default format. In addition, extra log files are created under access_logs.

For better log readability, we exclude certain URL patterns, some known bots and our own IP(s) from the access log. This is achieved using the map and geo modules of Nginx, which are very efficient.

Here we further identify some "bad" user-agents used by web scanners and outdated browsers. Also blocked are curl, wget and some frequently exploited URLs. This is intended for use with the Ghost blog (see my tutorial). Do NOT use this with Wordpress or PHP!

The bots identified earlier are excluded with the code below. For those "bad" user-agents, we redirect them to the "browser-update" website.

In the server's listen and ssl directives, we enable HTTP/2 and optimize SSL protocols and cipher suites. To prevent the "Logjam" attack, a strong Diffie-Hellman group is generated. In addition, SSL stapling is enabled to further reduce latency for website visitors. Test your SSL configuration at SSL Labs, and see if you can get an "A+".

This section is for use with Cloudflare ONLY, in order to show the real IPs of your visitors in Nginx logs.

Reject invalid hostnames and un-needed HTTP methods. The first line is required because in HTTP/1.0, the $host variable may be undefined.

Block referrer spams such as "best-seo-report" and "buttons-for-website".

To help counter Denial of Service (DoS) attacks, we limit the number of simultaneous connections and request rates from each host. Tweak these parameters to your needs.

Here we configure caching for the Nginx reverse proxy (for use with Ghost blog). In this example, HTTP codes 200, 301 and 302 are cached for 30 days, while 404 is cached for 10 minutes. Requests from our own IP(s) will bypass the cache.

Finally, we serve user-friendly error pages for HTTP status 404, 503, etc. Create and place your customized error pages in /opt/nginx/html.

This concludes my discussion of optimizing Nginx config for your website. I hope you will find it useful! Some additional optimizations that I did not discuss above can be found in my full Nginx config file hosted on GitHub.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.

Previous article: Get Two Public IPs on an Amazon EC2 Instance for Free

Return to Lin's Tech Blog Homepage

Lin Song

Fresh PhD graduate in Electrical and Computer Engineering (ECE). As a hobby, I love computers, Linux and programming.  LinkedIn Profile  GitHub

View or Post

Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !