nginx reference

paths (debian/ubuntu)

Config root: /etc/nginx/
Sites: /etc/nginx/sites-available/ + symlinks in sites-enabled/
Logs: /var/log/nginx/access.log, error.log

service control

Action	Command
Start/stop/restart	`sudo systemctl start\|stop\|restart nginx`
Reload config	`sudo systemctl reload nginx`
Enable at boot	`sudo systemctl enable nginx`
Status	`systemctl status nginx`

config checks

Task	Command
Syntax test	`sudo nginx -t`
Show compiled modules	`nginx -V`

minimal server block (http)

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example;
    access_log /var/log/nginx/example-access.log;
    error_log  /var/log/nginx/example-error.log;
    location / {
        try_files $uri $uri/ =404;
    }
}

https with certbot

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
sudo systemctl reload nginx

common reverse proxy

server {
    listen 443 ssl;
    server_name api.example.com;
    ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

gzip and caching

gzip on;
gzip_types text/plain text/css application/javascript application/json;

location ~* \\.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 7d;
    add_header Cache-Control \"public\";
}

common errors & fixes

Permission denied on cert/key: ensure ssl_certificate_key readable by root (nginx runs as www-data but master reads key).
403 on root: check root path exists and permissions; ensure try_files points to correct path.
502/504 from upstream: verify proxy_pass target reachable; raise proxy_read_timeout for slow backends.
Port in use: run ss -tulnp | grep :80 to find conflicting service.
SELinux (RHEL): allow HTTP to connect to network setsebool -P httpd_can_network_connect 1 or serve files outside default contexts with semanage fcontext + restorecon.

Return to Home