Nginx Config Generator

Build optimized nginx.conf for any setup

Server Type
Domain
Certificate
Proxy Backend
Host
Port
Performance
Max Body (MB)
Security Headers
Generated nginx.conf
# Generated by DevToolKit — https://www.devtoolkit.site/nginx-config/

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    # SSL — Let's Encrypt
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    client_max_body_size 64m;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_types
        text/plain
        text/css
        text/javascript
        application/json
        application/javascript
        application/xml
        image/svg+xml;

    # Static file caching (if serving static from nginx)
    location /static/ {
        alias /var/www/example.com/static/;
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Logging
    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log warn;

}
HTTP:80 → HTTPSwww → non-wwwSSL/TLS + HTTP/2Gzip🔀 Reverse Proxy (Node / Go / Python)
⚠ Setup required

Install certbot: sudo apt install certbot python3-certbot-nginx

Get certificate: sudo certbot --nginx -d example.com -d www.example.com

Auto-renewal is configured automatically by certbot.

Nginx Configuration Generator — Build Production-Ready Configs

This tool generates optimized Nginx configuration files for the most common server setups: reverse proxy for Node.js, Go, and Python backends, static file hosting and single-page applications (React, Vue, Next.js), PHP-FPM for Laravel and WordPress, and load balancing across multiple servers. Each generated config includes SSL/TLS best practices, gzip compression, security headers, and proper logging.

Nginx as a Reverse Proxy

The most common Nginx use case is reverse proxying to a backend application. The proxy_pass directive forwards requests to your Node.js (Express, Fastify), Go (Gin, Echo), Python (Django, Flask, FastAPI), or any HTTP backend. Key headers to pass: X-Real-IP for the client's real IP, X-Forwarded-For for proxy chain tracking, and X-Forwarded-Proto so the backend knows if the original request was HTTPS.

SSL/TLS Configuration

Modern SSL config should use TLSv1.2 and TLSv1.3 only (TLSv1.0 and 1.1 are deprecated). Enable OCSP stapling to speed up certificate validation, configure session caching to reduce TLS handshake overhead, and add the HSTS header to tell browsers to always use HTTPS. For Let's Encrypt, certbot handles certificate issuance and auto-renewal.

Gzip Best Practices

Enable gzip with compression level 5 (good balance of speed vs size). Set gzip_min_length 256 to skip tiny files where compression overhead exceeds savings. Include all text-based MIME types: CSS, JavaScript, JSON, XML, SVG. Don't compress already-compressed formats (JPEG, PNG, WOFF2) — it wastes CPU for zero benefit.

Load Balancing Methods

Round Robin (default) distributes requests equally. Least Connections sends traffic to the server with fewest active connections — better when request processing times vary. IP Hash ensures the same client always hits the same backend — useful for session-based apps without shared session storage.

Nginx Security Headers

X-Frame-Options: SAMEORIGIN prevents clickjacking by blocking iframe embedding from other domains. X-Content-Type-Options: nosniff stops browsers from MIME-sniffing responses. Referrer-Policy controls how much referrer information is sent with requests. These headers are free performance and security wins — no reason not to enable them.

All configuration is generated in your browser — nothing is sent to any server. Use the generated config as a starting point and adjust for your specific needs.

Want detailed explanations with examples? Read our Nginx Configuration Guide for Developers — reverse proxy, SSL, gzip, load balancing, and security headers with copy-paste configs.