Optimizing Nginx Config for Your Website

by Lin Song

In this guide I will present my Nginx optimization tips for your website or blog. Nginx is a free, open-source, high-performance HTTP server and reverse proxy, best known for its performance, stability, rich feature set, simple configuration, and low resource consumption.

My discussions below will be based on the actual Nginx config for this blog (view on GitHub). The focus will be on actual optimizations, instead of basic nginx.conf syntax. These are for your reference only, use at your own risk.

First, we add some headers to enable Clickjacking and XSS protection. Another useful one is HTTP Strict-Transport-Security (HSTS), which enforces secure connections for your website.

Next, we proceed to enable Gzip compression for the website's contents. An exception was made for IE 4~6 due to their issues with Gzip.

Set various buffer size limits and timeouts to prevent buffer overflow attacks and improve server performance. Tweak these parameters to your needs.

Configure Nginx log settings. In this example, $real_scheme is added to the default format. In addition, extra log files are created under access_logs.

For better log readability, we exclude certain URL patterns, some known bots and our own IP(s) from the access log. This is achieved using the map and geo modules of Nginx, which are very efficient.

Here we further identify some "bad" user-agents used by web scanners and outdated browsers. Also blocked are curl, wget and some frequently exploited URLs. This is intended for use with the Ghost blog (see my tutorial). Do NOT use this with Wordpress or PHP!

The bots identified earlier are excluded with the code below. For those "bad" user-agents, we redirect them to the "browser-update" website.

In the server's listen and ssl directives, we enable HTTP/2 and optimize SSL protocols and cipher suites. To prevent the "Logjam" attack, a strong Diffie-Hellman group is generated. In addition, SSL stapling is enabled to further reduce latency for website visitors. Test your SSL configuration at SSL Labs, and see if you can get an "A+".

This section is for use with Cloudflare ONLY, in order to show the real IPs of your visitors in Nginx logs.

Reject invalid hostnames and un-needed HTTP methods. The first line is required because in HTTP/1.0, the $host variable may be undefined.

Block referrer spams such as "best-seo-report" and "buttons-for-website".

To help counter Denial of Service (DoS) attacks, we limit the number of simultaneous connections and request rates from each host. Tweak these parameters to your needs.

Here we configure caching for the Nginx reverse proxy (for use with Ghost blog). In this example, HTTP codes 200, 301 and 302 are cached for 30 days, while 404 is cached for 10 minutes. Requests from our own IP(s) will bypass the cache.

Finally, we serve user-friendly error pages for HTTP status 404, 503, etc. Create and place your customized error pages in /opt/nginx/html.

This concludes my discussion of optimizing Nginx config for your website. I hope you will find it useful! Some additional optimizations that I did not discuss above can be found in my full Nginx config file hosted on GitHub.