Balou Tools

Server Config Generator

Generates Nginx configurations and Apache .htaccess rules for redirects and security headers.

Server Config Generator

Create ready-to-use configuration files for Nginx and Apache (.htaccess) with best-practice security and performance features.

Configuration

Quick presets
Basic Settings

Forces a secure SSL/TLS connection through automatic 301 redirects.

SSL / TLS & HTTPS

HTTP/2 enables multiplexing and header compression – significantly faster than HTTP/1.1. Requires SSL.

HTTP/3 uses QUIC over UDP – even faster, lower latency. Requires Nginx ≥ 1.25 and open UDP port 443.

Adds comments and Certbot commands for automatic SSL certificate issuance.

Instructs browsers to only access the site via HTTPS. max-age=63072000 = 2 years.

Submits the domain to the browser preload list. Warning: Only enable if HTTPS is permanently guaranteed.

Performance & Compression

Compresses text files (HTML, CSS, JS, JSON) before transfer – saves 60–80% bandwidth.

Brotli offers better compression ratios than Gzip, supported by all modern browsers.

Optimizes browser caching: static assets (JS/CSS/images) are cached long-term, HTML pages always revalidated.

Security Headers

Adds HSTS, CSP, X-Frame-Options, X-Content-Type-Options and Referrer-Policy.

Prevents XSS attacks by restricting allowed resource sources.

Controls which referrer information is passed when following links.

Restricts browser APIs (camera, microphone, geolocation etc.) – prevents abuse by embedded content.

Enables Cross-Origin-Opener/Embedder/Resource-Policy to isolate against Spectre-style attacks.

Older XSS protection header for IE/Edge. Modern browsers ignore it, but it doesn't hurt.

Advanced Options

Forwards the real client IP to the backend server (important behind reverse proxy).

Forwards the client's Accept-Language header to the backend server – important for multilingual apps.

Restores the real visitor IP when traffic passes through Cloudflare or a reverse proxy.

Limits requests per IP via limit_req_zone – protects /api and login areas from overload.

Secures the entire directory with a username and password.

nginx.conf / sites-available/meine-domain.de 
server {
    listen 80;
    listen [::]:80;
    server_name meine-domain.de www.meine-domain.de;
    # Redirect all HTTP traffic to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name meine-domain.de;

    root /var/www/meine-domain.de/html;
    index index.html index.php;

    client_max_body_size 16m;

    # ── SSL – Let's Encrypt (Certbot) ──────────────────────────────────
    # Run: certbot --nginx -d meine-domain.de -d www.meine-domain.de
    # Certbot fills in / manages the paths below automatically.
    ssl_certificate     /etc/letsencrypt/live/meine-domain.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/meine-domain.de/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/meine-domain.de/chain.pem;

    # ── Gzip Compression ───────────────────────────────────────────────
    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1024;
    gzip_vary on;
    gzip_proxied any;
    gzip_types
        text/plain text/css text/xml text/javascript
        application/javascript application/json application/xml
        image/svg+xml application/manifest+json font/woff2;

    # ── Security Headers ───────────────────────────────────────────────
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
    # Hide nginx version. Note: X-Powered-By from PHP-FPM/upstreams is NOT
    # removed by server_tokens – use the headers-more module for that:
    #   more_clear_headers "X-Powered-By"; "Server";
    server_tokens off;

    # ── Cache-Control ──────────────────────────────────────────────────
    # Fingerprinted assets (content-hash in filename) → cache forever
    location ~* \.(js|css|woff2?|ttf|otf|eot)$ {
        add_header Cache-Control "public, max-age=31536000, immutable";
        access_log off;
        try_files $uri =404;
    }

    # Images & media → 30 days
    location ~* \.(avif|webp|jpe?g|png|gif|svg|ico)$ {
        add_header Cache-Control "public, max-age=2592000";
        access_log off;
        try_files $uri =404;
    }

    # ── Main location ──────────────────────────────────────────────────
    location / {
        add_header Cache-Control "public, max-age=0, must-revalidate";
        try_files $uri $uri/index.html $uri.html =404;
    }

    # ── Reverse Proxy / API Backend ────────────────────────────────────
    location /api {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        # Forward real client IP
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
    }

    # ── Error pages ────────────────────────────────────────────────────
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

    # ── OCSP Stapling & Resolver (needs ssl_trusted_certificate above) ──
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
    resolver_timeout 5s;
}

Related Tools & Utilities

Security & SSL
Security Header Check

Checks HTTP security headers (HSTS, CSP, X-Frame-Options) and provides server fixes.

Launch Tool
Security & SSL
CSP Generator & Evaluator

Analyzes Content-Security-Policy headers and suggests hardening rules.

Launch Tool
Security & SSL
SSL/TLS Check

Analyzes SSL/TLS certificates, certificate chains, expiration dates, and ciphers.

Launch Tool

Guide & best practices

Server Config Generator online tool

Generates Nginx configurations and Apache .htaccess rules for redirects and security headers.

Typical use cases

Server Config Generator supports recurring developer, security and SEO tasks directly in the browser. The tool focuses on fast results, clear output and safe defaults.

How it works

Enter the relevant input, run the analysis or transformation and review the structured output. Where useful, Balou Tools adds hints, exports and related tools for the next step.

Best practices

Always review results in context, avoid sensitive production data in online inputs and use export/copy actions for traceable documentation.

Frequently asked questions

What is Server Config Generator useful for?

Server Config Generator is useful for fast technical checks and recurring development tasks without local installation.

Are my inputs stored?

Many tools run locally in the browser; server-side diagnostics query the specified target from the Balou backend. AI features are only used after an explicit user action.

Can I share the result?

Many diagnostic tools support export, Markdown, JSON or share links. Local utility tools provide at least copy-to-clipboard output.