Nginx Server Block Generator

Directive	Value	Deployment note	Copy
{{ row.directive }}	{{ row.value }}	{{ row.note }}

Step	Command or check	Reason	Copy
{{ row.step }}	`{{ row.command }}`	{{ row.reason }}

An NGINX server block is the part of a web server configuration that decides which hostnames a request should match and what NGINX should do after the match. The same host can serve static files, pass PHP requests to PHP-FPM, or proxy every request to an application service. The block also carries operational details such as ports, TLS certificate paths, logs, redirects, and small protection rules.

The risk in a server block is rarely the number of lines. A wrong server_name can send traffic to the wrong block. A broad document root can expose private files. A reverse proxy that omits forwarded headers can make the upstream app build wrong redirects or logs. A certificate path that looks right on a workstation can fail when the NGINX master process reads it during reload.

Request

host and port

Server block

listen, server_name

Handoff

root, PHP-FPM, proxy

Review

warnings and tests

A safe NGINX draft ties host matching, content routing, TLS policy, and deployment checks together before the file is copied to a server.

A generated draft should be read as a starting point for review, not as confirmation that the live host is ready. DNS, certificate coverage, readable paths, loaded modules, backend health, and syntax testing all sit outside the text generator. A clean draft still needs to pass the target server's own checks before reload.

Good server-block work answers four questions clearly. Which hostnames should answer? Should HTTP redirect to HTTPS or serve content directly? Should requests go to files, PHP-FPM, or an upstream app? Which warnings must be cleared before the block reaches production change control?

Technical Details:

NGINX first narrows a request by the local address and port named in listen. Within that listen set, server_name matching and the Host header decide which server block should handle the request. If no name matches, the default server for that listen address and port handles the request, so a generated block is only one part of the full virtual-server order on the host.

TLS adds one more timing detail. Server Name Indication can choose a server during the SSL handshake before the HTTP Host header is processed. Certificate files, protocol choices, and the served names must therefore agree with the hostname policy. A block that redirects www to an apex host still needs certificate coverage for any HTTPS name that reaches the HTTPS listener.

Rule Core

listen address:port -> Host or SNI match -> server_name block

site mode -> root and try_files, PHP-FPM FastCGI, or proxy_pass

TLS plan -> HTTP content, HTTP 301 redirect, HTTPS content, or HTTPS-only content

NGINX server block directive areas and deployment review checks
Directive area	What it controls	What to verify before reload
`listen` and `server_name`	Address, port, TLS listener flag, and hostnames that should match this block.	DNS, SNI, default-server ordering, and any apex or `www` redirect names must match the intended host policy.
`root`, `index`, and `try_files`	Static file path, index lookup order, and fallback behavior for ordinary file-serving routes.	The root should point at a public directory, and the fallback should match a static site, single-page app, or PHP front controller.
`fastcgi_pass`	PHP requests are sent to a PHP-FPM socket path or host and port target.	The PHP-FPM service, socket permissions, and `SCRIPT_FILENAME` behavior must match the deployed app layout.
`proxy_pass` and forwarded headers	Requests are sent to an upstream HTTP service with Host, real IP, forwarded-for, forwarded-proto, and forwarded-host context.	The backend URL should be reachable from the NGINX host, and the upstream framework should trust the forwarded fields intentionally.
`ssl_certificate` and `ssl_certificate_key`	HTTPS blocks point at the certificate chain and private key read by NGINX at startup.	Certificate files must cover every served and redirected HTTPS hostname and remain readable only to the appropriate service context.
`client_max_body_size`	Optional request body limit in bytes or with `k`, `m`, or `g` suffix.	Upload-heavy apps need a value that agrees with the app, load balancer, and client expectations.
`gzip_static` and cache headers	Optional precompressed asset lookup and seven-day cache headers for common static extensions.	`gzip_static` requires module support and matching `.gz` files; cache headers assume versioned asset names.

The generated text uses three content paths. Static and PHP-FPM modes emit a root, index list, and location / with the selected try_files pattern. PHP-FPM mode adds a PHP regular-expression location with fastcgi_params, SCRIPT_FILENAME, DOCUMENT_ROOT, and the selected FastCGI target. Reverse proxy mode emits one location / with proxy_pass, HTTP/1.1, Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host headers, plus optional WebSocket upgrade headers.

NGINX server block generator validation and warning boundaries
Signal	Why it appears	Practical response
Invalid server name	`Server name` is empty, includes unsupported shape, or is entered with protocol, path, port, or wildcard.	Use a bare host such as `example.com`, `app.example.com`, `localhost`, or an IP address.
Backend URL error	Reverse proxy mode needs an absolute `http://` or `https://` URL.	Use a reachable upstream such as `http://127.0.0.1:3000` and smoke-test it before routing public traffic.
Custom certificate error	Custom HTTPS mode is selected without both certificate and private key paths.	Enter absolute paths for the full chain and key, or use the derived Let's Encrypt path shape when it fits the host.
HTTP-only warning	`TLS plan` is set to HTTP server block only.	Use it for local or pre-certificate setup, then switch public sites to HTTPS after DNS and certificate coverage are ready.
Unusual document root	The path does not end in a common public directory such as `public`, `htdocs`, `html`, `webroot`, or `www`.	Confirm private source code, environment files, uploads, and storage directories are not exposed.
Wildcard or extra names	Extra names include wildcard hosts, or HTTPS output includes served and redirected names that all need certificate coverage.	Check DNS, certificate subject names, and default-server order before treating the draft as ready.

The activation commands are review aids, not a substitute for the target server's final syntax check. The generated checklist separates save location, root or backend check, enable path, nginx -t, reload, DNS or certificate check, and curl -I smoke test so each assumption can be tested in order.

Everyday Use & Decision Guide:

Start with Server name, Site mode, www handling, and TLS plan. Those fields decide the served hostname, content handoff, redirect policy, and whether the generated file contains HTTP, HTTPS, or both. If the summary says Needs edits, clear the alert before reading the generated text as a real draft.

For static and PHP sites, check Document root before changing advanced options. The path should usually end at the public web directory rather than the project root. For PHP-FPM, keep the request routing aligned with the app front controller and check that the emitted fastcgi_pass target matches the actual socket or service port.

For reverse proxy mode, the backend URL is the first trust check. A local app at http://127.0.0.1:3000 is a normal target, but it still has to answer from the NGINX host. Turn on WebSocket upgrade headers only for routes that really upgrade the connection, such as Socket.IO or native WebSocket endpoints.

Use Serve apex and www in one block only when both names should return the same content without redirecting.
Use Redirect www to apex or Redirect apex to www after choosing the canonical host for links, cookies, and certificates.
Use HTTP redirect plus HTTPS server block when port 80 should send visitors to HTTPS and port 443 should serve the content block.
Keep Dotfile protection on for ordinary public file roots unless the app explicitly serves hidden paths outside .well-known.
Turn on static asset caching only when filenames are versioned or otherwise safe to cache for seven days.
Use Basic security headers only when the application does not already send stricter or conflicting response headers.

Treat Review before deployment as a real pause. Warnings such as HTTP-only output, unusual document root, wildcard names, cache assumptions, or certificate coverage do not always make the draft wrong, but they point at choices that should be approved before copying the config.

Step-by-Step Guide:

Use the page to draft one host policy, inspect the generated directives, then validate the saved file on the target NGINX server.

Enter Server name. The summary should show the canonical hostname; if it shows Needs edits, fix the alert that asks for a host without protocol, path, port, or wildcard.
Choose Site mode. Static and PHP-FPM modes should expose Document root; reverse proxy mode should expose Backend URL and show proxy_pass in Directive Ledger.
Set www handling and any Extra server names. Open Directive Ledger and confirm served names and redirect-only names match the DNS and certificate plan.
Choose TLS plan. If HTTPS is enabled, review Certificate paths and confirm NGINX Server Block contains ssl_certificate, ssl_certificate_key, and ssl_protocols TLSv1.2 TLSv1.3.
Set routing details. For static sites, choose a strict 404 or single-page app fallback; for PHP-FPM, use the PHP front controller when requests should flow through /index.php; for proxy mode, test the backend URL separately.
Open Advanced only for host-specific changes such as bind address, ports, index files, upload body size, log directory, static cache, WebSocket upgrade headers, or install path style.
Read the alert area. Do not copy the config while Fix these inputs before deployment is active, because the generated body is replaced by comment lines explaining the blockers.
Open Activation Checklist. Use the save target, root or backend check, include step, sudo nginx -t, reload command, DNS or certificate check, and smoke test as the deployment review sequence.
After syntax and smoke tests pass, repeat the request check for any redirected hostnames and extra names listed in Directive Ledger.

Interpreting Results:

NGINX Server Block is the draft configuration text. Directive Ledger explains the important emitted directives, generated size, required module surface, and review notes. Activation Checklist turns the draft into concrete host checks. The JSON view mirrors the same inputs, warnings, errors, directives, checklist rows, and config text.

The summary badge is a page result, not proof of a live server result. Ready means the current fields did not trigger known blockers or warnings. It does not mean NGINX can read the files, the certificate is valid for the host, DNS points at the server, PHP-FPM is accepting requests, or the upstream app is healthy.

NGINX server block generator output cues and follow-up checks
Output cue	Meaning	Follow-up
Needs edits	At least one required value is invalid, and real config generation is blocked.	Fix the alert before using NGINX Server Block.
Review	A draft was generated, but one or more warnings deserve a decision.	Read each warning and compare it with the affected row in Directive Ledger.
Ready	Inputs passed the page checks and no review warnings were raised.	Run `sudo nginx -t`, reload NGINX, then use the checklist's DNS, certificate, and smoke checks.
Module surface	Lists the HTTP modules implied by PHP-FPM, proxy, TLS, or `gzip_static` choices.	Treat it as preparation guidance; the syntax test on the target host is the authority.
Generated size	Shows the byte size of the current draft and warning count.	Use it as a change cue only; it does not measure safety or performance.

The most important checks happen after copying the draft: save it where the local package includes it, confirm paths or upstreams, run nginx -t, reload, and test the exact hostnames the block is meant to answer.

Worked Examples:

Static site moving to HTTPS

A public static site uses Server name example.org, Site mode Static files or single-page app, www handling Redirect www to apex, TLS plan HTTP redirect plus HTTPS server block, and Document root /var/www/example.org/public. NGINX Server Block should contain an HTTP redirect block and an HTTPS content block. Directive Ledger should list server_name, listen, root, TLS, logs, and dotfile protection. Activation Checklist still needs DNS and certificate checks before reload.

PHP-FPM app with front controller routing

A PHP app uses Server name app.example.net, Site mode PHP-FPM application, Document root /srv/app/current/public, PHP-FPM target /run/php/php8.3-fpm.sock, and Request routing PHP front controller /index.php. The generated block should include try_files $uri $uri/ /index.php$is_args$args; and a PHP location with fastcgi_pass unix:/run/php/php8.3-fpm.sock. If the document root warning appears, confirm the path ends at the public directory before using the draft.

Reverse proxy with WebSocket traffic

An app listens at http://127.0.0.1:3000 and uses WebSocket upgrades. Set Site mode to Reverse proxy to app server, enter that Backend URL, and turn on WebSocket upgrade headers. Directive Ledger should show proxy_pass and forwarded-header coverage. The generated block should contain proxy_http_version 1.1, Host, X-Real-IP, X-Forwarded-* headers, plus Upgrade and Connection when the WebSocket switch is on.

Troubleshooting a blocked body-size value

If client_max_body_size is entered as sixteen megabytes, Fix these inputs before deployment should say the value must look like 16m, 1g, or a whole byte count. The config body is replaced by comments until the value is corrected or left blank. That block is intentional because a malformed directive would make the target syntax test fail.

Security and Privacy Notes:

Generation happens in the browser after the page loads. The page has no separate remote service for building the NGINX draft, so hostnames, internal paths, backend URLs, and generated config are handled by the page logic during the session.

Treat the output as infrastructure-sensitive text. It can include internal hostnames, private IP addresses, certificate paths, socket paths, log paths, and upstream service names. Review it through the same approval path used for other web server configuration.

FAQ:

Can I deploy the generated server block as-is?

Only after host-level checks pass. The page can draft the block, warnings, directive ledger, and checklist, but NGINX still needs readable paths, loaded modules, valid certificates, DNS, a passing nginx -t, and a successful smoke test.

Why does server_name matter?

NGINX uses the listen address and port first, then compares the request host with server_name values in matching blocks. A wrong hostname can fall through to the default server for that port.

When should I use reverse proxy mode?

Use reverse proxy mode when NGINX should front an app service such as http://127.0.0.1:3000 instead of serving files from Document root. The result emits proxy_pass and forwarded request headers.

Why is the config replaced by comments?

That happens when Fix these inputs before deployment is active. Common causes are an invalid Server name, invalid reverse proxy URL, missing custom certificate paths, invalid client_max_body_size, or a non-absolute log directory.

What does the certificate warning mean?

HTTPS output assumes the certificate covers every served and redirected server_name. Check apex, www, and extra names before enabling the block on port 443.

Does the result check my live NGINX server?

No. The result is built from the fields in the page. Use Activation Checklist for the external checks that prove the saved file, package layout, syntax test, reload, DNS, certificate, and smoke test match the draft.

Glossary:

Server block: The NGINX configuration block that listens on one or more addresses and decides how matching hostnames are served.
server_name: The hostname list NGINX compares with the request host after a listen address and port have matched.
SNI: Server Name Indication, the TLS handshake hostname signal used before HTTP request processing.
try_files: The routing directive that checks file paths in order and falls back to a static error, single-page app entry, or PHP front controller.
PHP-FPM: The FastCGI process manager that can execute PHP requests handed off by NGINX.
proxy_pass: The directive that forwards requests from NGINX to an upstream HTTP service.

References:

Server names, NGINX documentation.
How nginx processes a request, NGINX documentation.
Module ngx_http_core_module, NGINX documentation.
Module ngx_http_proxy_module, NGINX documentation.
Module ngx_http_ssl_module, NGINX documentation.
Module ngx_http_gzip_static_module, NGINX documentation.