Where do I put the generated config?

On most systems, save the server block in /etc/nginx/conf.d/yourdomain.conf or /etc/nginx/sites-available with a symlink into sites-enabled. The limit_req_zone line, when rate limiting is on, must live in the http{} context, not inside a server block.

What does SSL termination mean here?

SSL termination means Nginx handles the encrypted HTTPS connection from the client and decrypts it, then talks plain HTTP to your backend or serves files directly. The config also adds a separate port 80 server that 301-redirects all traffic to HTTPS.

Why use try_files for static serving?

try_files $uri $uri/ =404 tells Nginx to look for the requested file, then a matching directory, and return a clean 404 if neither exists. It prevents path traversal surprises and gives predictable behaviour for missing files.

What do the proxy_set_header lines do?

They forward the original request details to your backend: Host preserves the requested domain, X-Real-IP and X-Forwarded-For carry the client IP through the proxy, and X-Forwarded-Proto tells the backend whether the original request was HTTP or HTTPS.

Is rate limiting enough to stop abuse?

limit_req with a 10 r/s zone and burst of 20 smooths out spikes and slows brute-force attempts, but it is per-IP and not a full DDoS defence. Combine it with a WAF or upstream protection for serious attacks. After editing, always run nginx -t to validate.

Nginx Config Builder

An Nginx config builder that generates a complete, valid server block for the most common setups: serving static files, acting as a reverse proxy, terminating SSL, or all three. Toggle gzip, security headers, and rate limiting and copy a config you can drop straight into Nginx.

How it works

The tool assembles a standard Nginx server { ... } block from your choices. In static mode it sets a root, an index, and a try_files $uri $uri/ =404; rule. In reverse proxy mode it emits a proxy_pass to your upstream along with the four headers Nginx should forward — Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto — plus proxy_http_version 1.1.

When SSL is enabled it generates two server blocks: one on port 80 that issues a 301 https://$host$request_uri redirect, and the main block on port 443 with ssl on, modern protocols (TLSv1.2 TLSv1.3), and Let’s Encrypt certificate paths. Security headers add X-Frame-Options, X-Content-Type-Options: nosniff, a referrer policy, and HSTS when SSL is on. Rate limiting declares a limit_req_zone and applies limit_req zone=reqlimit burst=20 nodelay; inside the location.

Tips and notes

The limit_req_zone directive must sit in the http context (the top of nginx.conf), not inside the server block — the generated comment marks it for you.
Replace the Let’s Encrypt certificate paths if you manage certificates differently; the domain in those paths is filled from your server name.
Never long-cache index.html; for hashed static assets you can add a separate location with expires 1y; and Cache-Control: immutable.
Always validate before reloading: nginx -t checks syntax, then nginx -s reload applies the change with zero downtime.

Nginx Config Builder

Email me this result

How it works

Tips and notes