Posted in Devops, Information Technology

nginx Cheat Sheet

Config Syntax

Validate config with gixy (static config analyzer)

Proxy Pass + Rewrite

For example strip a path before proxy passing…

location ~ <expr> {
   rewrite /<path to strip>/(.*) /$1 break;

Proxy Pass + Host Header

By default proxy pass doesn’t pass the header. This needs to be said explicitly:

location / {
    proxy_pass       http://localhost:8000;
    proxy_set_header Host $host;

Complex Conditions

As nginx does not support complex logic in if() conditions you need to set flags in a smart way to workaround it.

# Define a control flag
set $extra_handling = 0;

# Set the control flag when needed
if ($variable1 ~* pattern) {
    set $extra_handling = 1;

# Unset the flag if needed
if ( $variable2 = 1 ) {
    set $extra_handling = 0;

if ( $extra_handling = 1 ) {
    # Trigger intended behaviour

Mitigating security issues

A general description on secure nginx configuration can be found here:


ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

DH downgrade

Create unique DH group

openssl dhparam -out dhparams.pem 2048

Enable it in config

ssl_dhparam {path to dhparams.pem}

And set sane ciphers.

Sane Ciphers

Suggestion from 22.5.2015 by


ssl_prefer_server_ciphers on;

Data Privacy

Alternatives to avoid tracking users by IP to be more GDPR compliant:

  • Mask IP Addresses, deterministically replace IPs with same but anonymous value using JS plugin
  • Match all but the last octect of $remoteaddr with regex and insert variable in custom logformat

    # Note: add another/extend regex for IPv6 if ($remoteaddr ~ (\d+).(\d+).(\d+).(\d+)) { set $truncatedip $1.$2.0.1; } logformat main ‘[$timelocal] $truncatedip “$request” $status $bodybytessent $requesttime “$httpreferer” “$httpuser_agent”‘;

  • Starting with nginx 1.11 use “map” to apply regex patterns and extract the result

    map $remoteaddr $truncatedip { ~(?P\d+.\d+.\d+). $ip.0; ~(?P[^:]+:[^:]+): $ip::; default; } logformat main ‘[$timelocal] $truncatedip “$request” $status $bodybytessent $requesttime “$httpreferer” “$httpuser_agent”‘;

Enabling Features

FPC with memcached

Full Page Cache (FPC) with memcached

if ($request_method = GET) {
    set $memcached_key some_prefix$request_uri;
    memcached_pass memcached;
    error_page 404 = @nocache;

FastCGI caching

set $nocache "";
if ($http_cookie ~ SESS) {
    set $nocache "Y";
fastcgi_cache mycache;
fastcgi_cache_key $scheme$host$uri$args;
fastcgi_ignore_headers Expires;
fastcgi_cache_bypass $nocache;
fastcgi_no_cache $nocache;

OSCP Stapling

Available starting with nginx 1.3.7

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s