Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

pjt222/configure-nginx

Name: configure-nginx
Author: pjt222

i18n/de/skills/configure-nginx/SKILL.md

npx skillsauth add pjt222/agent-almanac configure-nginx

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Nginx konfigurieren

Nginx als Webserver und Reverse Proxy mit SSL-Terminierung und Sicherheitshaertung einrichten.

Wann verwenden

Statische Dateien (HTML, CSS, JS) in Produktion ausliefern
Reverse Proxying zu Backend-Diensten (Node.js, Python, Go, R/Shiny)
SSL/TLS mit Let's-Encrypt-Zertifikaten terminieren
Lastverteilung ueber mehrere Backend-Instanzen
Rate Limiting und Sicherheitsheader hinzufuegen

Eingaben

Erforderlich: Deployment-Ziel (Docker-Container oder Bare Metal)
Erforderlich: Backend-Dienst(e) zum Proxying (Host:Port)
Optional: Domainname fuer SSL
Optional: Verzeichnis fuer statische Dateien

Vorgehensweise

Schritt 1: Einfacher Reverse Proxy

nginx.conf:

events {
    worker_connections 1024;
}

http {
    upstream app {
        server app:3000;
    }

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://app;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Docker-Compose-Dienst:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - app

Erwartet: Anfragen an Port 80 werden an den App-Dienst weitergeleitet.

Schritt 2: Statische Dateiauslieferung

server {
    listen 80;
    root /usr/share/nginx/html;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location /assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
        expires 6M;
        add_header Cache-Control "public";
    }
}

Schritt 3: SSL/TLS mit Let's Encrypt

Mit certbot und der Webroot-Methode:

server {
    listen 80;
    server_name example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://app;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Docker Compose mit certbot:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - certbot-webroot:/var/www/certbot:ro
      - certbot-certs:/etc/letsencrypt:ro

  certbot:
    image: certbot/certbot
    volumes:
      - certbot-webroot:/var/www/certbot
      - certbot-certs:/etc/letsencrypt

volumes:
  certbot-webroot:
  certbot-certs:

Erstes Zertifikat:

docker compose run --rm certbot certonly \
  --webroot -w /var/www/certbot \
  -d example.com --email [email protected] --agree-tos

Erwartet: HTTPS funktioniert mit gueltigem Let's-Encrypt-Zertifikat.

Bei Fehler: DNS-Eintrag pruefen, ob er auf den Server zeigt. Sicherstellen, dass Port 80 fuer ACME-Challenges offen ist.

Schritt 4: Sicherheitsheader

server {
    # ... SSL-Konfiguration oben ...

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;

    # Nginx-Version verbergen
    server_tokens off;
}

Schritt 5: Rate Limiting

http {
    # Rate-Limit-Zonen definieren
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

    server {
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://app;
        }

        location /login {
            limit_req zone=login burst=5;
            proxy_pass http://app;
        }
    }
}

Schritt 6: Lastverteilung

upstream app {
    least_conn;
    server app1:3000;
    server app2:3000;
    server app3:3000 backup;
}

| Methode | Direktive | Verhalten | |---------|-----------|-----------| | Round Robin | (Standard) | Gleichmaessige Verteilung | | Wenigste Verbindungen | least_conn | Leitet an am wenigsten ausgelasteten weiter | | IP-Hash | ip_hash | Sticky Sessions | | Gewichtet | server app:3000 weight=3 | Proportional |

Schritt 7: Konfiguration testen

# Konfigurationssyntax testen
docker compose exec nginx nginx -t

# Ohne Ausfallzeit neu laden
docker compose exec nginx nginx -s reload

# Antwortheader pruefen
curl -I https://example.com

Erwartet: nginx -t meldet Syntax OK. Header enthalten Sicherheitsheader.

Validierung

[ ] nginx -t meldet gueltige Konfiguration
[ ] HTTP leitet auf HTTPS um (falls SSL aktiviert)
[ ] Backend-Dienst ist ueber den Proxy erreichbar
[ ] Sicherheitsheader in der Antwort vorhanden
[ ] Rate Limiting greift bei ueberschuessigen Anfragen
[ ] SSL-Labs-Test ergibt A+-Bewertung (falls oeffentlich)

Haeufige Fehler

Fehlender proxy_set_header Host: Backend erhaelt falschen Host-Header, was virtuelle Hosts und Weiterleitungen bricht.
location-Reihenfolge ist wichtig: Nginx verwendet den spezifischsten Treffer. Exakt (=) > Praefix (^~) > Regex (~) > allgemeiner Praefix.
SSL-Zertifikatserneuerung: Cron oder Timer fuer certbot renew einrichten und Nginx neu laden.
Grosse Request-Bodies: Standard client_max_body_size ist 1MB. Fuer Datei-Uploads erhoehen: client_max_body_size 50m;.
WebSocket-Proxying: Erfordert zusaetzliche Header. Siehe configure-reverse-proxy fuer das Muster.

pjt222/configure-nginx

i18n/de/skills/configure-nginx/SKILL.md

Konfiguriere Nginx als Webserver und Reverse Proxy. Umfasst statische Dateiauslieferung, Reverse Proxy zu Upstream-Diensten, SSL/TLS-Terminierung mit Let's Encrypt, Location-Bloecke, Lastverteilung, Rate Limiting und Sicherheitsheader. Verwende diesen Skill beim Ausliefern statischer Dateien in Produktion, beim Reverse-Proxying zu Backend-Diensten (Node.js, Python, R/Shiny), bei SSL/TLS-Terminierung, bei Lastverteilung ueber Instanzen oder beim Hinzufuegen von Rate Limiting und Sicherheitsheadern zur Haertung eines Endpunkts.

9 stars

development

Updated Apr 15, 2026

$ install --global

skillsauth

npx skillsauth add pjt222/agent-almanac configure-nginx

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 25, 2026, 9:33 PM2.0s1 file scanned

SKILL.md

name:: configure-nginx
description:: >
license:: MIT
allowed-tools:: Read Write Edit Bash Grep Glob
author:: Philipp Thoss
version:: 1.0
domain:: containerization
complexity:: intermediate
language:: multi
tags:: nginx, reverse-proxy, ssl, tls, lets-encrypt, web-server, security-headers
locale:: de
source_locale:: en
source_commit:: 6f65f316
translator:: claude-sonnet-4-6
translation_date:: 2026-03-16

Nginx konfigurieren

Nginx als Webserver und Reverse Proxy mit SSL-Terminierung und Sicherheitshaertung einrichten.

Wann verwenden

Statische Dateien (HTML, CSS, JS) in Produktion ausliefern
Reverse Proxying zu Backend-Diensten (Node.js, Python, Go, R/Shiny)
SSL/TLS mit Let's-Encrypt-Zertifikaten terminieren
Lastverteilung ueber mehrere Backend-Instanzen
Rate Limiting und Sicherheitsheader hinzufuegen

Eingaben

Erforderlich: Deployment-Ziel (Docker-Container oder Bare Metal)
Erforderlich: Backend-Dienst(e) zum Proxying (Host:Port)
Optional: Domainname fuer SSL
Optional: Verzeichnis fuer statische Dateien

Vorgehensweise

Schritt 1: Einfacher Reverse Proxy

nginx.conf:

events {
    worker_connections 1024;
}

http {
    upstream app {
        server app:3000;
    }

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://app;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Docker-Compose-Dienst:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - app

Erwartet: Anfragen an Port 80 werden an den App-Dienst weitergeleitet.

Schritt 2: Statische Dateiauslieferung

server {
    listen 80;
    root /usr/share/nginx/html;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location /assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
        expires 6M;
        add_header Cache-Control "public";
    }
}

Schritt 3: SSL/TLS mit Let's Encrypt

Mit certbot und der Webroot-Methode:

server {
    listen 80;
    server_name example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://app;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Docker Compose mit certbot:

services:
  nginx:
    image: nginx:1.27-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - certbot-webroot:/var/www/certbot:ro
      - certbot-certs:/etc/letsencrypt:ro

  certbot:
    image: certbot/certbot
    volumes:
      - certbot-webroot:/var/www/certbot
      - certbot-certs:/etc/letsencrypt

volumes:
  certbot-webroot:
  certbot-certs:

Erstes Zertifikat:

docker compose run --rm certbot certonly \
  --webroot -w /var/www/certbot \
  -d example.com --email [email protected] --agree-tos

Erwartet: HTTPS funktioniert mit gueltigem Let's-Encrypt-Zertifikat.

Bei Fehler: DNS-Eintrag pruefen, ob er auf den Server zeigt. Sicherstellen, dass Port 80 fuer ACME-Challenges offen ist.

Schritt 4: Sicherheitsheader

server {
    # ... SSL-Konfiguration oben ...

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;

    # Nginx-Version verbergen
    server_tokens off;
}

Schritt 5: Rate Limiting

http {
    # Rate-Limit-Zonen definieren
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

    server {
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://app;
        }

        location /login {
            limit_req zone=login burst=5;
            proxy_pass http://app;
        }
    }
}

Schritt 6: Lastverteilung

upstream app {
    least_conn;
    server app1:3000;
    server app2:3000;
    server app3:3000 backup;
}

Schritt 7: Konfiguration testen

# Konfigurationssyntax testen
docker compose exec nginx nginx -t

# Ohne Ausfallzeit neu laden
docker compose exec nginx nginx -s reload

# Antwortheader pruefen
curl -I https://example.com

Erwartet: nginx -t meldet Syntax OK. Header enthalten Sicherheitsheader.

Validierung

[ ] nginx -t meldet gueltige Konfiguration
[ ] HTTP leitet auf HTTPS um (falls SSL aktiviert)
[ ] Backend-Dienst ist ueber den Proxy erreichbar
[ ] Sicherheitsheader in der Antwort vorhanden
[ ] Rate Limiting greift bei ueberschuessigen Anfragen
[ ] SSL-Labs-Test ergibt A+-Bewertung (falls oeffentlich)

Haeufige Fehler

Fehlender proxy_set_header Host: Backend erhaelt falschen Host-Header, was virtuelle Hosts und Weiterleitungen bricht.
location-Reihenfolge ist wichtig: Nginx verwendet den spezifischsten Treffer. Exakt (=) > Praefix (^~) > Regex (~) > allgemeiner Praefix.
SSL-Zertifikatserneuerung: Cron oder Timer fuer certbot renew einrichten und Nginx neu laden.
Grosse Request-Bodies: Standard client_max_body_size ist 1MB. Fuer Datei-Uploads erhoehen: client_max_body_size 50m;.
WebSocket-Proxying: Erfordert zusaetzliche Header. Siehe configure-reverse-proxy fuer das Muster.

Related Skills

pjt222/unleash-the-agents

testing

VerifiedTrustedCommunity

Launch all available agents in parallel waves for open-ended hypothesis generation on problems where the correct domain is unknown. Use when facing a cross-domain problem with no clear starting point, when single-agent approaches have stalled, or when diverse perspectives are more valuable than deep expertise. Produces a ranked hypothesis set with convergence analysis and adversarial refinement.

9SKILL.mdUpdated Apr 15, 2026

pjt222/unleash-the-agents

pjt222/test-cli-application

tools

VerifiedTrustedCommunity

Write integration tests for a Node.js CLI application using the built-in node:test module. Covers the exec helper pattern, output assertions, filesystem state verification, cleanup hooks, JSON output parsing, error case testing, and state restoration after destructive tests. Use when adding tests to an existing CLI, testing a new command, verifying adapter behavior across frameworks, or setting up CI for a CLI tool.

9SKILL.mdUpdated Apr 15, 2026

pjt222/test-cli-application

pjt222/screen-trademark

development

VerifiedTrustedCommunity

Screen a proposed trademark for conflicts and distinctiveness before filing. Covers trademark database searches (TMview, WIPO Global Brand Database, USPTO TESS), distinctiveness analysis using the Abercrombie spectrum, likelihood of confusion assessment using DuPont factors and EUIPO relative grounds, common law rights evaluation, and goods/services overlap analysis. Produces a conflict report with a risk matrix. Use before adopting a new brand name, logo, or slogan — distinct from patent prior art search, which uses different databases, legal frameworks, and analysis methods.

9SKILL.mdUpdated Apr 15, 2026

pjt222/screen-trademark

pjt222/scaffold-cli-command

tools

VerifiedTrustedCommunity

Scaffold a new CLI command using Commander.js with options, action handler, three output modes (human-readable, quiet, JSON), and optional ceremony variant. Covers command naming, option design, shared context patterns, error handling, and integration testing. Use when adding a command to an existing Commander.js CLI, designing a new CLI tool from scratch, or standardizing command structure across a multi-command CLI.

9SKILL.mdUpdated Apr 15, 2026

pjt222/scaffold-cli-command

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/pjt222/agent-almanac.git

# Copy into Claude Code skills folder (global)
cp -r agent-almanac/i18n/de/skills/configure-nginx ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

pjt222/agent-almanac

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

pjt222/configure-nginx

$ install --global

Security Scan Results

SKILL.md

Nginx konfigurieren

Wann verwenden

Eingaben

Vorgehensweise

Schritt 1: Einfacher Reverse Proxy

Schritt 2: Statische Dateiauslieferung

Schritt 3: SSL/TLS mit Let's Encrypt

Schritt 4: Sicherheitsheader

Schritt 5: Rate Limiting

Schritt 6: Lastverteilung

Schritt 7: Konfiguration testen

Validierung

Haeufige Fehler

Verwandte Skills

Related Skills

pjt222/unleash-the-agents

pjt222/test-cli-application

pjt222/screen-trademark

pjt222/scaffold-cli-command

pjt222/configure-nginx

$ install --global

Security Scan Results

SKILL.md

Nginx konfigurieren

Wann verwenden

Eingaben

Vorgehensweise

Schritt 1: Einfacher Reverse Proxy

Schritt 2: Statische Dateiauslieferung

Schritt 3: SSL/TLS mit Let's Encrypt

Schritt 4: Sicherheitsheader

Schritt 5: Rate Limiting

Schritt 6: Lastverteilung

Schritt 7: Konfiguration testen

Validierung

Haeufige Fehler

Verwandte Skills

Related Skills

pjt222/unleash-the-agents

pjt222/test-cli-application

pjt222/screen-trademark

pjt222/scaffold-cli-command