The "HTTP Redirect" block is missing a "www.example.com" version of the domain. I've encountered problems on redirecting without it.

server_name .{{ domain() }};<!--

It could be something like this: (but is needed to verify if the "www" is checked)

server_name .{{ domain() }} www.{{ domain() }};<!--

File: public/templates/conf/sites-available/example.com.conf.html
Line: 200

Hello. I see in a new version single-file config option is removed? But for what reasons?

Right now the tool points ssl_trusted_certificate to fullchain.pem, but I believe it should just point to chain.pem.

Reference threads:

• https://community.letsencrypt.org/t/how-to-set-ssl-trusted-certificate-in-nginx-configuration-file/41898
• https://community.letsencrypt.org/t/i-am-stuck-at-ssl-trusted-certificate/61314

Thank you!

Is there an intention to create an API to enable generating the config automatically?

That will help much with provisioning tools.

As I've been thrown into the role as system administrator I was thrilled to find nginxconfig.io to help me out with a rock solid WP config. I would very much like to see a version for the rising Statamic CMS as well. Is there any way that could happen?

For example, "single page application", "php application", "progressive web app", "restful api", etc...

Greetings.

Is this config generator works on the 1.15.X version of NGINX?

(Sorry for mu bad English)

When Drupal is configured to use private files, those files should be served by Drupal and not NGINX directly.
# Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; }

Here is the docs for nginx rate limiting.

https://www.nginx.com/blog/rate-limiting-nginx/

First: very nice project! Thank you very much for giving the world this tool!

Only very little room for optimization:

The sed command for disabling SSL directives leaves the redirect to the ssl site active.

Nice holidays!

Site Main Example code use TLSv1(June 18, 2018, Deprecated ) TLSv1.1((December 20, 2018, Soon)

https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html

# Generated by nginxconfig.io

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# intermediate configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
	ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

specifically, add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Hello and thanks for this awesome project.

Currently when you select something with a reverse proxy (eg: https://nginxconfig.io/?0.php=false&0.proxy&client_max_body_size=41 ) you get this snipped in your example.com.conf:

# reverse proxy
	location / {
		proxy_pass http://127.0.0.1:3000;
		include nginxconfig.io/proxy.conf;
	}

But the config file include nginxconfig.io/proxy.conf is not displayed. Worked a (few) week(s) ago but not anymore.

Also I don't get any JS errors, have enabled and disabled an adblocker and tried it on latest Chrome on Windows and lates Chromium on Linux

Hello, I had a strange problem and finally figured it out.

Problem

When I use the configuration to proxy content like with this configuration: https://nginxconfig.io/?0.domain=192.168.1.198&0.https=false&0.php=false&0.proxy&0.proxy_pass=http:%2F%2F192.168.1.119:8080%2F&user=nginx&pid=%2Frun%2Fnginx%2Fnginx.pid&client_max_body_size=100

My page looks like this:

But when I go to the /etc/nginx/nginxconfig.io/general.conf and comment out these parts:

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$
{
        expires 7d;
        access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
}

then it works

The reason for this is, that the "location" settings will just be appended to the .conf file of the site.

Which means, if these location blocks don't also have the proxy pass lines (which doesn't even work at the moment see #57 ) the site won't forward any images,etc.

Solution

When user specifies that they want to use a proxy, the cache directives will have to be added to the server block (after the inclusion of general.conf) and will have to include the proxy pass thing. like so:

server {
	listen 80;
	listen [::]:80;

	server_name 192.168.1.198;

	# reverse proxy
	location / {
		proxy_pass http://192.168.1.119:8080/;
		include nginxconfig.io/proxy.conf;
	}
    include nginxconfig.io/general.conf;

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 7d;
        access_log off;
        proxy_pass http://192.168.1.119:8080/;
        include nginxconfig.io/proxy.conf;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
        proxy_pass http://192.168.1.119:8080/;
        include nginxconfig.io/proxy.conf;
    }

	
}

and also relevant cache strategies

Also I'll use this issue to say this project is very useful even without this requested feature, I'm bookmarking it and sharing too :)

Please check this regex in nginxconfig.io/wordpress.conf

# WordPress: deny wp-content/plugins nasty stuff location ~* ^/wp-content/plugins/.*\.(?!css(\.map)?|js(\.map)?...) { deny all; }

/wp-content/plugins/responsive-lightbox/assets/swipebox/css/swipebox.css --> ALLOW
/wp-content/plugins/responsive-lightbox/assets/swipebox/css/swipebox.min.css --> DENY
/wp-content/plugins/responsive-lightbox/assets/swipebox/js/jquery.swipebox.js --> DENY
/wp-content/plugins/responsive-lightbox/assets/swipebox/js/jquery.swipebox.min.js --> DENY

It means:

/wp-content/plugins/xxx.{allow_extension} --> OK
/wp-content/plugins/xxx.yyy.{allow_extension} --> Not working

This is happening in Chrome 64 and Epiphany 3.26. However it is not happening in Firefox 58. I'm using nginx:latest and php:fpm inside of Docker.

'X-Content-Type-Options "nosniff" always' is enabled:

'X-Content-Type-Options "nosniff" always' is disabled:

This is my /etc/nginx/conf.d/default.conf (really the only modification I made was to "fastcgi_pass"):

server {
    listen 80;
    listen [::]:80;

    server_name localhost;
    set $base /var/www/html;
    root $base/public;

    # index
    index index.php;

    # $uri, index.php
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline'" always;
    
    # . files
    location ~ /\. {
        deny all;
    }
    
    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 7d;
        access_log off;
    }
    
    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
    }
    
    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

    # handle .php
    location ~ \.php$ {
        try_files $uri =404;
        
        # fastcgi
        #fastcgi_pass                unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_pass                php:9000;
        fastcgi_index               index.php;
        fastcgi_split_path_info     ^(.+\.php)(/.+)$;
        fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param               PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
        fastcgi_intercept_errors    off;
        
        fastcgi_buffer_size             128k;
        fastcgi_buffers                 256 16k;
        fastcgi_busy_buffers_size       256k;
        fastcgi_temp_file_write_size    256k;
        
        # default fastcgi_params
        include fastcgi_params;
    }
}

# subdomains redirect
server {
    listen 80;
    listen [::]:80;

    server_name *.localhost;

    return 301 https://localhost$request_uri;
}

I only had to add the stuff for location ^~ /thumbs to your config and it worked.

just like

location = /favicon.ico {
  log_not_found off;
  access_log off;
  return 404;
}

I'd love to see support for Nginx servers binding to specific IPs for servers that have more than one IP. I know this is super simple to do after the general configuration files have been generated, but it may prove useful for people that may not be sure how to do it.

NGINX publishes container images in Docker hub that includes default configuration and layout:
https://github.com/nginxinc/docker-nginx/tree/master/mainline/alpine

The default configuration of the containers differs in subtle ways; like user being nginx, pid being /var/run/nginx.pid; etc. I realize this tool provides sections to setup these values and thus match the values in container. However, I was wondering whether the tool could have out-of-the-box support for configuration to be put in the Docker container image. Perhaps a checkbox in 'Tools' section that indicates that deployment will be via Docker. If checked, the recommended configuration could be optimized for docker deployments.

This would make it even easier for beginners to do it the right way, could also add a preview for the regex so it's easy to see what the results will become.

Create a downloadable package from generated config files.

In php_fastcgi.conf there is this rule fastcgi_split_path_info ^(.+\.php)(/.+)$; which does not work because the location regex only matches \.php$.

It will be more useful to match [^/]\.php(/|$) in the location regex.

After I added config generated by the website to my site-available/domain.conf file I get the following warnings.

nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:80, ignored

Here's my domain.com conf file

server {
    listen 443 ssl http2;
	listen [::]:443 ssl http2;

    server_name domain.com;


    access_log /var/log/nginx/domain.com.access.log rt_cache;
    error_log /var/log/nginx/domain.com.error.log;


    root /var/www/domain.com/htdocs;

    index index.php index.html index.htm;


    include common/wpfc-php7.conf;  
    
    include common/wpcommon-php7.conf;
    include common/locations-php7.conf;
    include /var/www/domain.com/conf/nginx/*.conf;
}

# subdomains redirect
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name *.domain.com;

	return 301 https://domain.com$request_uri;
}

# HTTP redirect
server {
	listen 80;
	listen [::]:80;

	server_name .domain.com;

	location / {
		return 301 https://domain.com$request_uri;
	}
}

This is happening to all my website where I used a similar configuration.

Let me know if I'm missing something.

Should it be fixed? Should it be fixed?

• https://code.facebook.com/posts/557147474482256/this-browser-tweak-saved-60-of-requests-to-facebook/
• https://bitsup.blogspot.com/2016/05/cache-control-immutable.html
  • https://hacks.mozilla.org/2017/01/using-immutable-caching-to-speed-up-the-web/
• https://www.keycdn.com/blog/cache-control-immutable
• https://blog.fortrabbit.com/mastering-http-caching

Browser Support

• Firefox - supported since Firefox 49
• Microsoft Edge - supported since Edge 15
• Chrome - Not supported as Chrome already has a feature implemented that prevents subresource revalidation on reload
• Safari - Supported in Safari Technology Preview 24

# add_header Cache-Control "public,max-age=3600,immutable";
# add_header Cache-Control "public,max-age=604800,immutable";
# add_header Cache-Control "public,max-age=31536000,immutable";

Would be great to have a single button support for let's encrypt configuration.

Would also be great to allow multiple site on the same page. Just click add to add another site into the multi-sites config.

Thanks for this!

It would be nice to have Magento 1.x and 2.x specific config.

Content security policy configurator and/or security level validator as in https://csp-evaluator.withgoogle.com/

Anyway the default policy is too insecure.

Hi ,

Can you add OIDC Auth -
https://github.com/tarachandverma/nginx-openidc ?

Please add support for hhvm and fallback to php-fpm and vice versa

If I knew how to do this I would do a PR instead of creating an issue

When using a separated file structure it is best to define the log path to be specific to that domain.

For example;

access_log /var/log/nginx/domain.com_access_log;
error_log /var/log/nginx/domain.com_error_log;

Leaving the defaults in /etc/nginx/nginx.conf shouldn't matter but the above should be followed (or very close to it) when doing multi domains for diagnostic purposes.

from /etc/nginx/nginxconfig.io/php_fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
change to
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;

Thank.

When I run " # HTTPS - certbot (before first run): create ACME-challenge common directory"
I got error: "mkdir: cannot create directory ‘/var/www/_letsencrypt’: Permission denied"
Environment: AWS Ubuntu 18.04

This website is a very good idea.

I mainly use Python as a backend language (not PHP, have you ever tried Python? ;-) ). To use nginx with Python, the WSGI interface was defined. Do you think that Python support could be added to nginxconfig.io?

Some starting points could be:

• https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html
• https://uwsgi-docs.readthedocs.io/en/latest/tutorials/Django_and_nginx.html
• http://docs.gunicorn.org/en/stable/deploy.html
• https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-16-04

sites-enabled are intended to be symlinked from sites-available, allowing the ability to disable a site without deleting the config.

Details;

Change /etc/nginx/sites-enabled/example.com.conf to /etc/nginx/sites-available/example.com.conf

Add command ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf

if access device is mobile ,please redirect to mobile directory or mobile domain

Example: https://itnext.io/docker-rails-puma-nginx-postgres-999cd8866b18#d08e

As described in Weak DH section 2, it is not reccomended to use distribution default DH params.

Solution (as described here) is to generate own dh param file, and then use ssl_dhparam statement.

Hi. I am looking for advise. I using TeamCity server behind Nginx reverse proxy. Recently faced a problem when Nginx deny to download zip files from path my-site/some-url/.teamcity/coverage_idea/coverage.zip
My workaround looks like:
location ~ /\.(?!well-known|teamcity) { deny all; }
But I wish to be more precise. Should I include "allow-block" in reverse-proxy block?

Can wordpress rule cover subdirectory or just root directory?

Excuse me if im missing something here but won't this config always redirect to www.example.org, regardless of subdomain?

# non-www, subdomains redirect
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name .example.org;

        # SSL
        ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/example.org/fullchain.pem;

        return 301 https://www.example.org$request_uri;
}

This is the default if you want both www redirect and a cdn(or any cdn for that matter)
Should it not be server_name example.org instead of .example.org

I tried to pull request but guess that I don't have the permissions to do pull request.

Commit: https://github.com/rafaelfesi/nginxconfig.io/pull/1/commits/61e31cd1253f096afd369de1823a8ef8d9b7b169

It would be good to add known, privacy-first DNS lookup options for OCSP Stapling.

i.e 1.1.1.1, 1.0.0.1

When using the "preset" section up top (switching between frontend, backend, Node.js etc.) some properties seems to be applied before the UI has been updated, leading to the new value/setting not registering properly. I noticed this with the Routing tab, connected to the PHP enabled setting.

To easily reproduce, apply either the Frontend or Node.js preset, any one where PHP is not enabled.
Then switch to to a preset where PHP is enabled and the index is index.php, such as backend, Wordpress or Drupal.

At this point PHP becomes enabled, but the index is never set to index.php.

If at this point you click the preset button again, same one again, the index is set to the correct value.

My guess/assumption is that the php setting is applied after the index setting, thus invalidating the new index setting as it tries to apply it before index.php is considered a valid choice.

Attaching a screen recording of the issue.

In the subdomain section.

	# subdomains redirect
	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
	
		server_name *.my.domain.com;
	
		# SSL
		include _ssl.conf;
		ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
	
		return 301 https://my.domain.com$request_uri;
	}

When creating a new config and unchecking the Modularized structure under common tools section, the server_name, redirect, and ssl_trusted_certificate directives lose the domain.

      `server {
	listen :443 ssl http2;
	listen []:443 ssl http2;

	server_name ;
	set $base /srv/www/domains/domain.com/magento/v230;
	root $base;

	# SSL
	ssl_certificate /etc/letsencrypt/live/magento.domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/magento.domain.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live//chain.pem; `

And the redirect server block:

   `# HTTP redirect
server {
	listen :80;
	listen []:80;

	server_name .;

	# ACME-challenge
	location ^~ /.well-known/acme-challenge/ {
		root /var/www/_letsencrypt;
	}

	location / {
		return 301 https://$request_uri;
	}
}`

It also appears that the listen port is incorrect and the : is not required for ipv4 and the ipv6 listen should be [::]

To make sure everything is working as intended :)

Hi. First of all, I must thank you for a great tool.
Did I miss it or there is no functionality for proxying specific ports?

In my case, there is a Node application that works on port 3000 (http://127.0.0.1:3000) and can be accessible from outside, even without Nginx. It would be great to add functionality to generate config for proxying all incoming traffic on port 80 (443) to specific port. Just like that:

location @server.app {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;

Perhaps it can be done via upstream? Really, I dont know, still new to Nginx:

http {
  upstream server.app {
    server 127.0.0.1:3000
}
  server {
    listen 80;
    server_name www.domain.com;
    location / {
      proxy_pass http://server.app 
    }
}
}