Quick reference for Nginx: service management, server blocks, reverse proxy, load balancing, SSL/TLS, location matching, logging, and performance tuning.
Nginx quick-reference covering essential commands, server block configuration, reverse proxy setup, load balancing, SSL/TLS, logging, and performance tuning. Organized by workflow so you can find the right directive or command instantly. Whether you are serving static files, proxying to a backend application, or configuring HTTPS — this cheat sheet has you covered.
How Do You Manage the Nginx Service?
| Command | Description |
|---|
| sudo systemctl start nginx | Start the Nginx service |
| sudo systemctl stop nginx | Stop the Nginx service |
| sudo systemctl restart nginx | Restart Nginx (drops connections) |
| sudo systemctl reload nginx | Reload config without downtime |
| sudo systemctl enable nginx | Enable Nginx to start on boot |
| sudo systemctl status nginx | Check service status |
| nginx -t | Test configuration for syntax errors |
| nginx -T | Test and print the full merged configuration |
| nginx -s reload | Send reload signal directly to Nginx |
| nginx -s quit | Graceful shutdown (finishes active requests) |
| nginx -s stop | Immediate shutdown |
| nginx -v | Print Nginx version |
| nginx -V | Print version, compiler options, and modules |
Key File Locations
| Path | Description |
|---|
| /etc/nginx/nginx.conf | Main configuration file |
| /etc/nginx/conf.d/ | Additional config files (included by default) |
| /etc/nginx/sites-available/ | Available server block configs (Debian/Ubuntu) |
| /etc/nginx/sites-enabled/ | Symlinks to active server blocks |
| /etc/nginx/mime.types | MIME type mappings |
| /var/log/nginx/access.log | Access log (all requests) |
| /var/log/nginx/error.log | Error log |
| /usr/share/nginx/html/ | Default document root |
How Do You Configure a Basic Server Block?
| Directive | Description | Example |
|---|
| listen | Port and optional address to listen on | listen 80; or listen 443 ssl; |
| server_name | Domain names this block responds to | server_name example.com www.example.com; |
| root | Document root directory for serving files | root /var/www/example.com/html; |
| index | Default files to serve for directory requests | index index.html index.htm; |
| location / | Match requests by URI path | location /images/ { ... } |
| try_files | Try paths in order, fall back to last arg | try_files $uri $uri/ /index.html; |
| error_page | Custom error pages | error_page 404 /404.html; |
| return | Return a status code or redirect | return 301 https://$host$request_uri; |
How Do You Set Up a Reverse Proxy?
| Directive | Description | Example |
|---|
| proxy_pass | Forward requests to a backend server | proxy_pass http://localhost:3000; |
| proxy_set_header Host | Pass the original Host header | proxy_set_header Host $host; |
| proxy_set_header X-Real-IP | Pass the client real IP | proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For | Pass the forwarded-for chain | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Proto | Pass the original protocol | proxy_set_header X-Forwarded-Proto $scheme; |
| proxy_http_version | Set HTTP version for backend | proxy_http_version 1.1; |
| proxy_read_timeout | Timeout for reading backend response | proxy_read_timeout 90s; |
| proxy_connect_timeout | Timeout for connecting to backend | proxy_connect_timeout 30s; |
| proxy_buffering | Enable or disable response buffering | proxy_buffering off; |
Load Balancing
| Directive / Method | Description | Example |
|---|
| upstream <name> { ... } | Define a group of backend servers | upstream backend { server 10.0.0.1:8080; } |
| server <addr>:<port> | Add a server to the upstream group | server 10.0.0.2:8080; |
| (default) round-robin | Distribute requests evenly in order | No directive needed — default behavior |
| least_conn | Route to server with fewest active connections | upstream backend { least_conn; ... } |
| ip_hash | Sticky sessions based on client IP | upstream backend { ip_hash; ... } |
| weight=N | Assign relative weight to a server | server 10.0.0.1:8080 weight=3; |
| max_fails=N | Mark server down after N failed attempts | server 10.0.0.1:8080 max_fails=3; |
| fail_timeout=Ns | Time window for max_fails and downtime duration | server 10.0.0.1:8080 fail_timeout=30s; |
| backup | Only use this server when all others are down | server 10.0.0.3:8080 backup; |
| down | Mark a server as permanently unavailable | server 10.0.0.4:8080 down; |
How Do You Configure SSL/TLS?
| Directive | Description | Example |
|---|
| listen 443 ssl | Enable SSL on port 443 | listen 443 ssl; |
| ssl_certificate | Path to the SSL certificate file | ssl_certificate /etc/ssl/certs/site.pem; |
| ssl_certificate_key | Path to the private key file | ssl_certificate_key /etc/ssl/private/site.key; |
| ssl_protocols | Allowed TLS protocol versions | ssl_protocols TLSv1.2 TLSv1.3; |
| ssl_ciphers | Allowed cipher suites | ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:...'; |
| ssl_prefer_server_ciphers | Prefer server cipher order | ssl_prefer_server_ciphers on; |
| ssl_session_cache | Enable SSL session caching | ssl_session_cache shared:SSL:10m; |
| ssl_session_timeout | Timeout for cached SSL sessions | ssl_session_timeout 10m; |
| ssl_stapling | Enable OCSP stapling | ssl_stapling on; |
Location Block Matching
| Modifier | Description | Example |
|---|
| (none) | Prefix match — lowest priority | location /api { ... } |
| ^~ | Prefix match — skips regex if matched | location ^~ /static/ { ... } |
| = | Exact match — highest priority | location = /health { return 200; } |
| ~ | Case-sensitive regex match | location ~ \.php$ { ... } |
| ~* | Case-insensitive regex match | location ~* \.(jpg|png|gif)$ { ... } |
Logging and Monitoring
| Directive | Description | Example |
|---|
| access_log | Set path and format for the access log | access_log /var/log/nginx/app.access.log; |
| error_log | Set path and level for the error log | error_log /var/log/nginx/app.error.log warn; |
| log_format | Define a custom log format | log_format main '$remote_addr - $request ...'; |
| access_log off | Disable access logging for a location | access_log off; |
| stub_status | Enable basic status page (active connections) | location /nginx_status { stub_status; } |
Performance Tuning
| Directive | Description | Example |
|---|
| worker_processes | Number of worker processes (auto = match CPU cores) | worker_processes auto; |
| worker_connections | Max simultaneous connections per worker | worker_connections 1024; |
| sendfile | Use kernel sendfile for static file serving | sendfile on; |
| tcp_nopush | Send headers and file in one packet | tcp_nopush on; |
| tcp_nodelay | Disable Nagle algorithm for keep-alive connections | tcp_nodelay on; |
| gzip | Enable gzip compression | gzip on; |
| gzip_types | MIME types to compress | gzip_types text/plain application/json; |
| gzip_min_length | Minimum response size to compress | gzip_min_length 256; |
| keepalive_timeout | Timeout for keep-alive connections | keepalive_timeout 65; |
| client_max_body_size | Maximum allowed request body size | client_max_body_size 10m; |
Frequently Asked Questions
How do you redirect HTTP to HTTPS in Nginx?
Add a server block listening on port 80 with: return 301 https://$host$request_uri; — this sends a permanent redirect for all HTTP requests to their HTTPS equivalent.
What is the difference between nginx -s reload and systemctl restart nginx?
nginx -s reload sends a signal to gracefully reload configuration without dropping active connections. systemctl restart nginx fully stops and restarts the process, which briefly drops all connections.
How does Nginx decide which server block handles a request?
Nginx first matches the listen directive (IP and port), then compares the Host header against server_name values. Exact matches take priority, followed by leading wildcards, trailing wildcards, and finally regex patterns. If nothing matches, the default_server block handles the request.
How do you serve a single-page application (SPA) with Nginx?
Use try_files $uri $uri/ /index.html; inside your location / block. This tries the requested file first, then the directory, and falls back to index.html so your client-side router can handle the route.
What does proxy_pass do in Nginx?
proxy_pass forwards incoming requests to a specified backend server (e.g., a Node.js or Python app). It is the core directive for configuring Nginx as a reverse proxy. You place it inside a location block and point it to the backend address, such as proxy_pass http://localhost:3000;.
How do you enable gzip compression in Nginx?
Add gzip on; to your http or server block, then specify which MIME types to compress with gzip_types (e.g., text/plain, application/json, text/css). Set gzip_min_length to avoid compressing very small responses. This reduces bandwidth usage and improves page load times.