Jump directly to main content

NGINX web optimisation

Optimisations for the nginx configs will increase both the security, and performance of your website

TODO: Headers

These headers tell nginx what, and how things can be served. They need to be added to each site-available that intends to use them

sudo vim /etc/nginx/sites-available/

Within the server block. If certbot/SSL is setup, add into the block listening to port 443 (HTTPS)

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Content-Security-Policy "default-src 'self';" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header "X-XSS-Protection" "1";
add_header X-Content-Type-Options nosniff ;

Gzip Compression

Compressing data that is sent to the client is a simple way to save some bandwidth, and gain a bit of speed

sudo vim /etc/nginx/nginx.conf

This goes within the http block, there is likely already a gzip section, so find it and replace with the below. Otherwise just add to the http block.

##
# Gzip Settings
##

gzip on ;
gzip_disable "msie6" ;
gzip_min_length 256 ;

gzip_vary on ;
gzip_proxied any ;
gzip_comp_level 6 ;
gzip_buffers 16 8k ;
gzip_http_version 1.1 ;

gzip_types
  application/atom+xml
  application/geo+json
  application/javascript
  application/x-javascript
  application/json
  application/ld+json
  application/manifest+json
  application/rdf+xml
  application/rss+xml
  application/xhtml+xml
  application/xml
  font/eot
  font/otf
  font/ttf
  image/svg+xml
  text/css
  text/javascript
  text/plain
  text/xml
;

TODO: Brotli Compression

Brotli is a new less used contender in the web compression space, but I've heard good things. I'll add this section once I've tested performance vs gzip myself

TODO: SSL Tweaks

HTTP/2

The newer standard of HTTP. It allows for parallel downloading, and other niceities. I believe Certbot does this for you when setting up SSL for a site, but if that changes, or you've used a different SSL cert, you can set this manually.

sudo vim /etc/nginx/sites-available/

Alter the existing listen lines to append http2

listen 443 ;

to

listen 443 http2 ;

After an nginx reload, this can be checked, by looking for HTTP/2 being returned by the below curl command

curl -I -L https://

TODO: Cache Files, and Images

TODO: Limit requests

To prevent potential DOS attacks, and web scrapers the amount of requests/connections per IP can be reduced

TODO: Redirect www/non-www to each other

People still type www. before a domain, even if it's not required. Cringe