ClawHub

Nginx

Configure Nginx for reverse proxy, load balancing, SSL termination, and high-performance static serving.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 1.7k · 16 current installs · 16 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included documentation (proxy, ssl, performance, examples). The files only cover nginx config topics; there are no unrelated required binaries, environment variables, or capabilities.
Instruction Scope
The SKILL.md and companion files provide configuration guidance and call out nginx-specific paths (e.g., includes under /etc/nginx/conf.d/) and commands (e.g., nginx -t, nginx -s reload). Those references are appropriate for an nginx guide and do not instruct reading or exfiltrating unrelated secrets or contacting external endpoints.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk installation model because nothing is written or executed by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths beyond standard nginx locations mentioned in documentation. There are no disproportionate credential requests.
Persistence & Privilege
always:false and user-invocable. The skill does not request permanent platform presence or attempt to modify other skills or global agent settings. Autonomous invocation is permitted by platform default but not a concern here given the skill's instruction-only nature.
Assessment
This skill is a documentation-only Nginx guide and appears coherent. Before giving an agent permission to apply changes based on these instructions: (1) review any concrete config edits the agent proposes, (2) test changes in a staging environment and run nginx -t before reloads, (3) back up existing nginx configs, and (4) keep private keys and certificates secure — do not allow the agent to expose or transmit private keys. If you only need advice, prefer read-only interactions rather than letting the agent modify system files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk970ptakst9pg4c28v3dx2yses812c3d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

When to Use

User needs Nginx expertise — from basic server blocks to production configurations. Agent handles reverse proxy, SSL, caching, and performance tuning.

Quick Reference

TopicFile
Reverse proxy patternsproxy.md
SSL/TLS configurationssl.md
Performance tuningperformance.md
Common configurationsexamples.md

Location Matching

  • Exact = first, then ^~ prefix, then regex ~/~*, then longest prefix
  • location /api matches /api, /api/, /api/anything — prefix match
  • location = /api only matches exactly /api — not /api/
  • location ~ \.php$ is regex, case-sensitive — ~* for case-insensitive
  • ^~ stops regex search if prefix matches — use for static files

proxy_pass Trailing Slash

  • proxy_pass http://backend preserves location path — /api/users/api/users
  • proxy_pass http://backend/ replaces location path — /api/users/users
  • Common mistake: missing slash = double path — or unexpected routing
  • Test with curl -v to see actual backend request

try_files

  • try_files $uri $uri/ /index.html for SPA — checks file, then dir, then fallback
  • Last argument is internal redirect — or =404 for error
  • $uri/ tries directory with index — set index index.html
  • Don't use for proxied locations — use proxy_pass directly

Proxy Headers

  • proxy_set_header Host $host — backend sees original host, not proxy IP
  • proxy_set_header X-Real-IP $remote_addr — client IP, not proxy
  • proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for — append to chain
  • proxy_set_header X-Forwarded-Proto $scheme — for HTTPS detection

Upstream

  • Define servers in upstream block — upstream backend { server 127.0.0.1:3000; }
  • proxy_pass http://backend uses upstream — load balancing included
  • Health checks with max_fails and fail_timeout — marks server unavailable
  • keepalive 32 for connection pooling — reduces connection overhead

SSL/TLS

  • ssl_certificate is full chain — cert + intermediates, not just cert
  • ssl_certificate_key is private key — keep permissions restricted
  • ssl_protocols TLSv1.2 TLSv1.3 — disable older protocols
  • ssl_prefer_server_ciphers on — server chooses cipher, not client

Common Mistakes

  • nginx -t before nginx -s reload — test config first
  • Missing semicolon — syntax error, vague message
  • root inside location — prefer in server, override only when needed
  • alias vs root — alias replaces location, root appends location
  • Variables in if — many things break inside if, avoid complex logic

Variables

  • $uri is decoded, normalized path — /foo%20bar becomes /foo bar
  • $request_uri is original with query string — unchanged from client
  • $args is query string — $arg_name for specific parameter
  • $host from Host header — $server_name from config

Performance

  • worker_processes auto — matches CPU cores
  • worker_connections 1024 — per worker, multiply by workers for max
  • sendfile on — kernel-level file transfer
  • gzip on only for text — gzip_types text/plain application/json ...
  • gzip_min_length 1000 — small files not worth compressing

Logging

  • access_log off for static assets — reduces I/O
  • Custom log format with log_format — add response time, upstream time
  • error_log level: debug, info, warn, error — debug is verbose
  • Conditional logging with map and if — skip health checks

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…