NGINX Cheat Sheet¶

Installation & Basic Server Control¶

# Install NGINX (Ubuntu)
sudo apt update
sudo apt install nginx

# Start / Stop / Restart
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx

# Reload config (no downtime)
sudo systemctl reload nginx

# Enable on boot
sudo systemctl enable nginx
sudo systemctl disable nginx

# Status
sudo systemctl status nginx

Test config syntax (important before reload):

sudo nginx -t

Show version / build info:

nginx -v
nginx -V

Log locations (default):

/var/log/nginx/access.log
/var/log/nginx/error.log

Binary & PID paths:

/usr/sbin/nginx
/run/nginx.pid

(HackingNote)

Configuration File Structure¶

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Directives end with ;
Blocks/Contexts are {} scopes (e.g., events, http, server, location)
Comments start with # (HackingNote)

HTTP Server Block (Virtual Host)¶

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/example.com/html;
    index index.html index.htm;

    # Default request handling
    location / {
        try_files $uri $uri/ =404;
    }
}

listen — port/interface
server_name — hostname(s)
root — document root
index — default files (Suhesh)

Location Blocks (Request Routing)¶

Pattern	Meaning
`location /`	Prefix match (default)
`location = /exact`	Exact match
`location ^~ /static/`	Preferential prefix match
`location ~ \.php$`	Regex (case-sensitive)
`location ~* .(gif \| jpg)$`	Regex (case‐insensitive)

location /images/ {
    root /var/www/assets;
}

Use alias when mapping URLs that don’t match directory structure:

location /static/ {
    alias /var/www/site/;
}

(Cheatography)

Reverse Proxy¶

location /api/ {
    proxy_pass http://backend_server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Common proxy settings:

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

(DevCortex)

SSL / HTTPS¶

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

Redirect HTTP → HTTPS:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

(DevCortex)

Performance Tuning¶

worker_processes auto;
worker_connections 1024;

Optimize:

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_types text/plain text/css application/json;

Rate limiting:

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/s;
limit_req zone=one burst=10;

(DevSheets)

Logging & Debugging¶

access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;

log_format custom '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

Check full config including includes:

nginx -T

(Shows parsed configuration) (wiki.linuxia.de)

Security / Access Control¶

Block malicious or sensitive URIs:

location = /admin {
    deny all;
}

Add common security headers:

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

Hide NGINX version:

server_tokens off;

(DevSheets)

Useful One-liners¶

sudo nginx -t && sudo systemctl reload nginx   # Test + reload

Restart gracefully:

nginx -s quit

Force stop:

nginx -s stop

(blog.programster.org)

If you want a print-friendly PDF version or a one-page cheat sheet graphic, I can generate one too!