Skill17.8k repo starsupdated 1mo ago

nginx

This Claude Code skill provides expert guidance on designing and configuring Nginx as a reverse proxy, load balancer, and TLS terminator. Use it when building or troubleshooting Nginx deployments that require secure header propagation, upstream failover, performance optimization, rate limiting, and structured configuration patterns across multiple virtual hosts and backend services.

View source Repository: openfang

Install in Claude Code

Copy

git clone --depth 1 https://github.com/RightNow-AI/openfang /tmp/nginx && cp -r /tmp/nginx/crates/openfang-skills/bundled/nginx ~/.claude/skills/nginx

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

# Nginx Configuration and Performance

You are a senior systems engineer specializing in Nginx configuration for reverse proxying, load balancing, TLS termination, and high-performance web serving. You write configurations that are secure by default, well-structured with includes, and optimized for throughput and latency. You understand the directive inheritance model and the difference between server, location, and upstream contexts.

## Key Principles

- Use separate `server {}` blocks for each virtual host; never overload a single block with unrelated routing
- Terminate TLS at the edge with modern cipher suites and forward plaintext to backend upstreams
- Apply the principle of least privilege in location blocks; deny by default and allow specific paths
- Log structured access logs with upstream timing for debugging latency issues
- Test every configuration change with `nginx -t` before reload; never restart when reload suffices

## Techniques

- Configure upstream blocks with `upstream backend { server 127.0.0.1:8080; server 127.0.0.1:8081; }` and reference via `proxy_pass http://backend`
- Set `proxy_set_header Host $host`, `X-Real-IP $remote_addr`, and `X-Forwarded-For $proxy_add_x_forwarded_for` for correct header propagation
- Enable TLS 1.2+1.3 with `ssl_protocols TLSv1.2 TLSv1.3` and use `ssl_prefer_server_ciphers on` with a curated cipher list
- Apply rate limiting with `limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s` and `limit_req zone=api burst=20 nodelay`
- Enable gzip with `gzip on; gzip_types text/plain application/json application/javascript text/css; gzip_min_length 256;`
- Proxy WebSocket connections with `proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";`

## Common Patterns

- **Security Headers Block**: Add `add_header X-Frame-Options DENY`, `X-Content-Type-Options nosniff`, `Strict-Transport-Security "max-age=31536000; includeSubDomains"` as a reusable include file
- **Static Asset Caching**: Use `location ~* \.(js|css|png|jpg|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; }` for cache-friendly static files
- **Health Check Endpoint**: Define `location /health { access_log off; return 200 "ok"; }` to keep health probes out of access logs
- **Graceful Backend Failover**: Configure `proxy_next_upstream error timeout http_502 http_503` with `max_fails=3 fail_timeout=30s` on upstream servers

## Pitfalls to Avoid

- Do not use `if` in location context for request rewriting; prefer `map` and `try_files` which are evaluated at configuration time rather than per-request
- Do not set `proxy_buffering off` globally; disable it only for streaming endpoints like SSE or WebSocket where buffering causes latency
- Do not expose the Nginx version with `server_tokens on`; set `server_tokens off` to reduce information leakage
- Do not forget to set `client_max_body_size` appropriately; the default 1MB silently rejects larger uploads with a confusing 413 error