nginx server block Generator

nginx server blocks in depth: HTTPS, reverse proxy, caching, and rate limiting

An nginx server block is the configuration unit that defines a virtual host — the rough equivalent of Apache's <VirtualHost>. A single nginx worker can serve dozens of unrelated sites by matching the Host header (or SNI on TLS) against the server_name of each block. Because nginx is event-driven and asynchronous, it scales to tens of thousands of concurrent connections per worker with a constant memory footprint, which is why it powers a large share of the world's CDNs, API gateways, and high-traffic websites.

This generator emits a working block; the reference below covers the syntax in depth, how to enable HTTPS with Let's Encrypt, how to act as a reverse proxy for Node/Python apps, load balancing, static asset caching, gzip, rate limiting, file conventions per distribution, and the practical differences with Apache.

Basic syntax

server {
  listen 80;
  listen [::]:80;
  server_name example.com www.example.com;
  root /var/www/example.com/public;
  index index.html index.php;

  location / { try_files $uri $uri/ =404; }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
  }
}

listen binds an interface and port (IPv4 + IPv6 via [::]:80). server_name is matched against the request's Host header; the first default_server block is used when nothing matches.

HTTPS with Let's Encrypt and modern TLS

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name example.com;

  ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!aNULL:!MD5;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

Pair the TLS block with a tiny redirect server on port 80:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

Run certbot --nginx once to provision the certificate and install an auto-renewal cron entry.

Reverse proxy for Node, Python, Go

location / {
  proxy_pass http://localhost:3000;
  proxy_http_version 1.1;
  proxy_set_header Host              $host;
  proxy_set_header X-Real-IP         $remote_addr;
  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Upgrade           $http_upgrade;
  proxy_set_header Connection        "upgrade";
}

The Upgrade/Connection headers are required for WebSocket support. To load-balance across multiple backends, declare an upstream:

upstream backend {
  server 10.0.0.1:8080;
  server 10.0.0.2:8080;
  keepalive 32;
}
server { location / { proxy_pass http://backend; } }

Static asset caching, gzip, and rate limiting

• Cache headers: location ~* \.(jpg|png|css|js|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; }
• gzip: gzip on; gzip_types text/css application/javascript application/json image/svg+xml;
• brotli: same idea via brotli on; brotli_types ...; if the module is compiled in.
• Rate limit: limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; at the http level, then limit_req zone=api burst=20 nodelay; in a location.

File layout and reload workflow

On Debian and Ubuntu, drop one .conf file per site in /etc/nginx/sites-available/ and symlink it into /etc/nginx/sites-enabled/; on RHEL, Fedora, and Alpine, files live directly in /etc/nginx/conf.d/. Always validate before reloading:

sudo nginx -t            # syntax check
sudo nginx -s reload     # graceful reload, no dropped connections
sudo systemctl reload nginx  # equivalent via systemd

FAQ

How do I get a free HTTPS certificate? Install certbot and run sudo certbot --nginx -d example.com -d www.example.com. It edits the server block and installs a 90-day Let's Encrypt certificate that auto-renews via a systemd timer.

Does nginx support HTTP/3 (QUIC)? Yes — stable since nginx 1.25. Add listen 443 quic reuseport; alongside the regular TLS listen and advertise it with add_header Alt-Svc 'h3=":443"; ma=86400'.

How do I match a wildcard subdomain? Use server_name *.example.com; or a regex form server_name ~^(?<sub>.+)\.example\.com$;, which captures the subdomain into $sub for use inside root or proxy_pass.

nginx vs Apache: which should I pick? nginx is generally faster for static content and reverse proxying because of its event loop; Apache is more flexible per-directory thanks to .htaccess. Many teams run both — Apache as the application server, nginx in front as TLS terminator and cache.

Why is my location not matching? Order matters. Exact (=) wins, then longest prefix, then regex in declaration order. Use nginx -T to print the merged config and $request_uri in access logs to debug.