Skip to main content
lab.golamrabbani.org

Nginx Config Generator

Build a production-ready Nginx server block with SSL, gzip, and security headers.

Written by Golam Rabbani, Founder & Lead Engineer

Build a production-ready Nginx server block for a static site or a reverse proxy. Toggles cover SSL, HSTS, gzip, security headers, and long-cache static asset rules. Everything is generated locally.

Used only when SSL is off.

Options

How to use this nginx config generator

  1. Enter your primary domain (and an optional alternate, like the www subdomain).
  2. Pick Static files (with a document root) or Reverse proxy (with a proxy_pass URL).
  3. Toggle the options you want: SSL, force HTTPS, gzip, security headers, long-cache static assets.
  4. If SSL is enabled, paste your certificate and key paths (Lets Encrypt defaults are pre-filled).
  5. Click Generate and Copy config, then drop the file into /etc/nginx/sites-available/ and reload Nginx.

About this nginx config generator

The Nginx config generator builds a production-ready server block from a single form. It targets two common modes — static-file hosting and reverse proxy — and layers on the security and performance toggles most sites need: TLS 1.2/1.3, HSTS, gzip with the right MIME types, long-cache rules for fingerprinted assets, and the standard `X-Content-Type-Options`, `X-Frame-Options`, and `Referrer-Policy` headers.

When SSL and "redirect HTTP to HTTPS" are both on, the tool emits two server blocks: one on port 80 that handles ACME challenges and 301s everything else to HTTPS, and one on port 443 with the real config. Reverse-proxy mode adds the standard upstream headers (`Host`, `X-Real-IP`, `X-Forwarded-For`, `X-Forwarded-Proto`) plus the `Upgrade`/`Connection` pair so WebSocket connections survive.

As an example, generating for `example.com` + `www.example.com`, SSL on, force HTTPS on, gzip on, security headers on, and 30-day static caching produces a two-block file: the port-80 redirect and a port-443 block with `ssl_protocols TLSv1.2 TLSv1.3`, the gzip MIME list, a `location ~* \.(js|css|woff2|...)$` block caching 30 days, and a fallback `try_files $uri $uri/ /index.html;` for client-side routing. Everything is generated locally — your server name and key paths never leave the browser.

FAQ

Where do I save the generated Nginx config file?
On Debian/Ubuntu, drop it at `/etc/nginx/sites-available/example.com` and symlink it: `sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/`. On Rocky/Alma/CentOS, use `/etc/nginx/conf.d/example.com.conf`. Then test with `sudo nginx -t` and reload with `sudo systemctl reload nginx`.
Why are there two server blocks when I enable SSL?
One listens on port 80 and 301-redirects to HTTPS while keeping `/.well-known/acme-challenge/` available so Lets Encrypt renewals still work. The other listens on 443 with the real TLS config. Splitting them is the standard pattern recommended by both Mozilla SSL Config Generator and the Nginx team.
What does the long-cache static-asset block do?
It matches common file extensions (js, css, woff2, png, jpg, svg, ico, etc.) and sets `Cache-Control: public, max-age=2592000, immutable`. The `immutable` flag tells browsers not to revalidate on reload — safe when filenames are content-hashed, which is the default for Next.js, Vite, and most modern build tools.
How is the reverse-proxy block structured?
It uses `proxy_pass` to the URL you provide, sets `proxy_http_version 1.1`, forwards the host and client IP via `proxy_set_header`, and adds the `Upgrade`/`Connection "upgrade"` headers so WebSocket upgrades work. `proxy_read_timeout 60s` gives slow upstream responses 60 seconds before Nginx times out.
Does this tool send my config to any server?
No. Generation is entirely client-side. Your domain, SSL paths, and proxy URLs are processed in your browser and never uploaded, logged, or stored anywhere.
Is this Nginx config generator free to use?
Yes, it is completely free with no account, no signup, and no usage limits.