How to Use Nginx on Linux Server in 2026? – Full Setup Instructions

To use Nginx on a Linux server, install the Nginx package, open firewall ports 80/443, start and enable the service, then configure server blocks in /etc/nginx to serve websites or reverse proxy apps.

Test the configuration with nginx -t, reload to apply changes, and add SSL/TLS with Certbot for HTTPS.

If you’re wondering how to use Nginx on a Linux server, this guide walks you through installation, configuration, reverse proxying, SSL setup, tuning, security, and troubleshooting.

Written for beginners and ambitious intermediates, it reflects real-world hosting experience so you can deploy faster and avoid common pitfalls.

What is Nginx and Why Use it?

Nginx is a high‑performance web server and reverse proxy known for efficiency, low memory usage, and excellent concurrency. It serves static sites, proxies apps (Node.js, Python, PHP-FPM), terminates TLS/SSL, and load balances traffic.

Compared with traditional servers, Nginx excels at handling thousands of connections, making it ideal for modern web workloads.

Prerequisites and Quick Checklist

Before you begin, confirm the following:-

• Linux server (Ubuntu/Debian or RHEL-family like AlmaLinux/Rocky) with sudo access
• Domain pointed to your server’s public IP (A/AAAA DNS records)
• Firewall allowing ports 80 (HTTP) and 443 (HTTPS)
• Basic terminal familiarity (SSH, editing files)

Install Nginx on Linux

Debian/Ubuntu

sudo apt update
sudo apt install -y nginx
sudo systemctl enable --now nginx
sudo ufw allow 'Nginx Full'  # or: sudo ufw allow 80,443/tcp

RHEL/AlmaLinux/Rocky Linux

sudo dnf install -y epel-release
sudo dnf install -y nginx
sudo systemctl enable --now nginx
# Firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Verify and Manage the Service

systemctl status nginx
sudo nginx -t        # syntax check
sudo systemctl reload nginx
sudo systemctl restart nginx

Visit http://your-domain or http://server-ip to confirm the Nginx welcome page loads.

Serve a Static Website with Server Blocks

Server blocks (virtual hosts) let you host multiple sites on one server. The idea is: create a web root, add site content, define a server block, enable it, and reload Nginx.

Create Web Root and Test Page

sudo mkdir -p /var/www/example.com/html
sudo chown -R $USER:$USER /var/www/example.com
cat > /var/www/example.com/html/index.html <<'EOF'
<h1>Hello from Nginx on Linux</h1>
EOF

Add a Server Block (Debian/Ubuntu)

sudo nano /etc/nginx/sites-available/example.com

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;

    root /var/www/example.com/html;
    index index.html;

    access_log /var/log/nginx/example.com.access.log;
    error_log  /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Add a Server Block (RHEL/AlmaLinux/Rocky)

RHEL-family uses a single nginx.conf by default. Create a directory for vhosts and include it.

sudo mkdir -p /etc/nginx/conf.d/sites
echo 'include /etc/nginx/conf.d/sites/*.conf;' | sudo tee -a /etc/nginx/nginx.conf
sudo nano /etc/nginx/conf.d/sites/example.com.conf

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/example.com/html;
    index index.html;

    access_log /var/log/nginx/example.com.access.log;
    error_log  /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

sudo nginx -t
sudo systemctl reload nginx

Use Nginx as a Reverse Proxy (Node.js, Python, PHP-FPM)

Reverse proxying lets Nginx handle client connections and forward requests to your app (e.g., Node.js on port 3000, Gunicorn/uvicorn on 8000, or PHP-FPM via fastcgi_pass). This improves performance, security, and TLS handling.

Basic Reverse Proxy Configuration

upstream app_backend {
    server 127.0.0.1:3000;
    # server 127.0.0.1:3001;  # add more for redundancy
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_pass http://app_backend;
    }
}

WebSocket Support (if your app needs it)

location /socket.io/ {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://app_backend;
}

Enable HTTPS with Let’s Encrypt (Certbot)

HTTPS is non‑negotiable. Let’s Encrypt provides free TLS certificates. Certbot automates issuance and renewal.

Ubuntu/Debian (Snap is recommended)

sudo apt remove certbot -y 2>/dev/null || true
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx -d example.com -d www.example.com
# Test renewal
sudo certbot renew --dry-run

RHEL/AlmaLinux/Rocky

sudo dnf install -y certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
sudo systemctl list-timers | grep certbot  # confirm timer

Certbot updates your Nginx config to redirect HTTP to HTTPS and configures secure ciphers by default. Always verify with nginx -t before reloading.

Performance Tuning Basics

Tune Workers and Connections

# /etc/nginx/nginx.conf (within the main context)
worker_processes auto;
events {
    worker_connections 1024;  # increase for high traffic
    multi_accept on;
}

Enable Compression and HTTP/2

# http context
gzip on;
gzip_types text/plain text/css application/json application/javascript application/xml+rss application/xml image/svg+xml;
gzip_min_length 1024;

# In your HTTPS server block
listen 443 ssl http2;

Brotli can outperform gzip but requires the brotli module or dynamic build. Use one compression method at a time.

Microcaching for Dynamic Apps (Optional)

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=MICRO:10m max_size=1g inactive=60m;
server {
    # ...
    location / {
        proxy_cache MICRO;
        proxy_cache_valid 200 1s;
        proxy_pass http://app_backend;
    }
}

Security Hardening Essentials

• Hide Nginx version: set server_tokens off; in http context.
• Strict TLS: prefer strong ciphers, enable HSTS if you serve only HTTPS.
• Limit request size: client_max_body_size 10M; to prevent oversized uploads.
• Rate limiting: use limit_req_zone to throttle abusive IPs.
• Least privilege: keep file permissions tight; Nginx should read, not own, content.
• SELinux/AppArmor: on RHEL, allow Nginx to connect to backends with setsebool -P httpd_can_network_connect 1 if reverse proxying.

# /etc/nginx/snippets/security.conf (include in server blocks)
server_tokens off;

# Rate limit example
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

# In a server/location:
limit_req zone=one burst=20 nodelay;

Logs, Monitoring, and Troubleshooting

Nginx logs are your first line of visibility.

• Access log: /var/log/nginx/access.log or per‑site logs
• Error log: /var/log/nginx/error.log or per‑site logs

sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log
sudo nginx -t
sudo systemctl status nginx
sudo journalctl -u nginx -e

Common Errors and Fixes

• 403 Forbidden: wrong permissions or missing index; ensure web root is readable by Nginx user and index exists.
• 404 Not Found: incorrect root or try_files; verify path and server_name matches host header.
• 502 Bad Gateway: backend down or wrong upstream; confirm app is listening and upstream definition matches.
• SSL issues: mixed content or expired certs; renew with certbot renew and fix hardcoded http URLs.

Load Balancing with Nginx

Scale out by distributing requests across multiple app servers. Nginx supports round‑robin, least_conn, and ip_hash.

upstream app_pool {
    least_conn;
    server 10.0.0.11:3000 max_fails=3 fail_timeout=10s;
    server 10.0.0.12:3000 max_fails=3 fail_timeout=10s;
    # ip_hash;  # for session affinity (remove least_conn if using this)
}

server {
    listen 80;
    server_name api.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://app_pool;
    }
}

Nginx Commands Cheat Sheet

# Service control
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl reload nginx
sudo systemctl restart nginx
sudo systemctl enable nginx

# Test and debug
sudo nginx -t
sudo journalctl -u nginx -e

# Config locations
# Debian/Ubuntu: /etc/nginx/nginx.conf, sites-available/, sites-enabled/
# RHEL family:   /etc/nginx/nginx.conf, conf.d/

Best Practices to Keep in Mind

• Use separate server blocks per domain and environment (prod/staging).
• Keep configs modular with include snippets for security, headers, caching.
• Automate TLS renewal and monitor expiry.
• Pinpoint performance with access logs and tools like top, htop, and netstat/ss.
• Version-control your Nginx configs (Git) and test in staging first.

When Managed Hosting Makes Sense

If you’d rather focus on your app than on patches, TLS, and tuning, consider managed VPS or dedicated servers. At YouStable, we deploy optimized Nginx stacks with HTTP/2, free SSL, caching, and active monitoring—so your sites stay fast and secure without DIY overhead.

FAQ’s