Review an nginx.conf for security and performance: TLS protocol versions, cipher suites, buffer sizes, gzip and brotli, expires headers.
Reviews an nginx.conf (and any included files) for security and performance smells — weak TLS, missing gzip, oversized buffers, lack of cache headers — and produces a punch-list with concrete config snippets.
config_path: path to the main nginx.conf.nginx_version: target version, defaults to detecting via nginx -v.mozilla_profile: intermediate (default) or modern.nginx -t -c <config_path> to confirm the config is syntactically valid.nginx -T -c <config_path> dumps the merged config; parse it.ssl_protocols must be TLSv1.2 TLSv1.3 (intermediate) or TLSv1.3 only (modern).ssl_ciphers must follow the Mozilla profile string.ssl_prefer_server_ciphers should be off for TLSv1.3-only configs, on otherwise.gzip on and gzip_types covering text/css application/javascript application/json text/xml.client_max_body_size not over 50m unless the route truly needs uploads.keepalive_timeout between 30s and 75s.sendfile on; tcp_nopush on; for static-heavy locations.location ~* \.(js|css|png|jpg|woff2)$) should set expires 1y and add_header Cache-Control "public, immutable".X-Content-Type-Options, Referrer-Policy, X-Frame-Options or Content-Security-Policy: frame-ancestors.server_tokens off; missing means the version is exposed.file:line (parsed from nginx -T output via the # configuration file markers).nginx-review.md with sections per audit family (TLS, Perf, Caching, Headers), each row showing file:line, current value, recommended value, and a paste-ready config snippet. Exit 1 if any TLS finding is critical (e.g., TLSv1.0 enabled).
After applying suggested changes, run nginx -t and confirm syntax pass, then nginx -s reload in a staging environment. Run testssl.sh https://<host> and confirm grade A or A+. Use curl -I https://<host> to verify HSTS and cache headers are present.
lua-nginx-module: skip Lua content but still check the surrounding directives.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/nginx-config-reviewer.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Read-only AWS surface — list/describe EC2, S3 buckets, IAM users, and Lambda functions. Auth via STS-assumed role; no mutating tools.
Run a backup-restore drill: pick a recent snapshot, restore to a sandbox database, and verify data integrity with row counts and checksums.
Read-only Cloudflare surface — list zones, DNS records, deployed Workers, and page rules. Auth via scoped API token; no mutating tools.
Identify imports and module-init code that contribute to Cloudflare Worker cold starts and propose lazy-load rewrites.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.