nginx | 05/12/2026 | By Thijs Eilander

NGINX on Debian 13 Trixie: Install, Modules and Modern Stack (2026)

Debian 13 — codename Trixie — is the current Debian stable release, and the safest, most boring, most production-friendly Linux to run NGINX on in 2026. If you are setting up a fresh server, this is the guide. NGINX on Debian 13 Trixie with the latest mainline, full module support, HTTP/3 over QUIC, ModSecurity, Brotli, and a modern TLS configuration — installed in roughly ten minutes from a packaged repository, no compiling, no Docker required.

Already running NGINX on Debian 12 Bookworm and want to move to Trixie? Our companion Debian 13 NGINX upgrade guide covers the migration. This page is the from-scratch install on a fresh Trixie box.

Why Debian 13 Trixie for NGINX?

Debian Trixie is the right call for production NGINX in 2026 for a few practical reasons:

  • OpenSSL 3.3 in the base system — modern TLS, post-quantum hybrid algorithms, kTLS support — without resorting to backports.
  • Linux kernel 6.11+ — proper io_uring, mature kTLS, and the QUIC-friendly UDP stack you want for HTTP/3.
  • PHP 8.4 in the archive — and PHP 8.5 available from external repos. Either way, modern PHP-FPM works out of the box.
  • systemd 256 — better service supervision, native socket activation, and the cgroup v2 features NGINX benefits from under load.
  • GCC 14 — newer build toolchain means newer optimisations baked into upstream NGINX binaries.
  • Five years of security support from the Debian project plus LTS extensions. Boring is good.

Installing NGINX on Debian 13 Trixie

The default Trixie NGINX is fine for “I just need a static file server”. For anything more ambitious — HTTP/3, ModSecurity, Brotli, zstd compression, modern OpenSSL with PQC — you want the myguard packages. Two minutes of setup, then NGINX is just an apt install:

# Add the myguard APT repository
wget -qO- https://deb.myguard.nl/gpg.key | \
  sudo gpg --dearmor -o /usr/share/keyrings/myguard-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/myguard-archive-keyring.gpg] \
  / stable main" | \
  sudo tee /etc/apt/sources.list.d/myguard.list

sudo apt update

# Install the optimised mainline NGINX
sudo apt install nginx

# Verify
nginx -V 2>&1 | head -1
# Should show: nginx version: nginx/1.31.x (myguard build)

Full repository setup is on the how to use page — packages are GPG-signed and built natively on Trixie’s toolchain.

The Dynamic Modules You Almost Certainly Want

One of the biggest practical wins of the packaged NGINX on Debian 13 Trixie is dynamic modules — you install only what you use, each as its own package, each independently updated. The defaults that most production stacks end up with:

# Compression: zstd (modern), Brotli (browser-favourite)
sudo apt install libnginx-mod-http-zstd libnginx-mod-http-brotli

# Web application firewall
sudo apt install libnginx-mod-http-modsecurity modsecurity-crs

# Real IP behind Cloudflare / proxies (in core, but worth confirming)
# Headers-more for cache header surgery
sudo apt install libnginx-mod-http-headers-more-filter

# Lua scripting (the OpenResty stack, repackaged)
sudo apt install libnginx-mod-http-lua

# Cache purge — useful for FastCGI cache invalidation
sudo apt install libnginx-mod-http-cache-purge

# Reload to pick up the new modules
sudo nginx -t && sudo systemctl reload nginx

For the full list of available modules — there are about fifty in the packaged build — see the NGINX modules overview.

A Sensible NGINX Configuration for Trixie

The default nginx.conf shipped on Debian is fine but conservative. Drop a per-site config in /etc/nginx/sites-available/example.com, symlink to sites-enabled, and you have a solid starting point:

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    listen [::]:443 ssl;
    listen [::]:443 quic reuseport;

    http2 on;
    http3 on;

    server_name example.com www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;

    # Tell browsers HTTP/3 is available
    add_header Alt-Svc 'h3=":443"; ma=86400';
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Compression
    brotli on;
    brotli_comp_level 6;
    brotli_types text/html text/css application/javascript application/json image/svg+xml;
    zstd on;
    zstd_types text/html text/css application/javascript application/json;

    root /var/www/example.com;
    index index.html index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # PHP via PHP-FPM (Debian 13 ships PHP 8.4)
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php/php8.4-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

For HTTPS, install Certbot or use the Angie native ACME client if you go that direction. HTTP/3 setup has the full QUIC story including firewall rules and verification.

PHP-FPM on Debian 13 Trixie

Trixie ships PHP 8.4 by default. Install the FPM stack:

sudo apt install php8.4-fpm php8.4-mysql php8.4-curl php8.4-mbstring \
                 php8.4-xml php8.4-zip php8.4-intl php8.4-gd php8.4-imagick

# Want PHP 8.5 instead?
sudo apt install php8.5-fpm  # from the myguard or sury repository

For WordPress on this stack, jump to the WordPress NGINX + PHP-FPM configuration guide — it walks through pool tuning, FastCGI cache, Redis object cache and security hardening end-to-end.

Security: ModSecurity, Snuffleupagus and Rate Limiting

A modern NGINX deployment on Debian 13 Trixie should run three layers of defence by default:

  • ModSecurity v3 + OWASP CRS at the HTTP layer — blocks SQLi, XSS, scanner traffic. See our ModSecurity setup guide.
  • PHP-Snuffleupagus inside PHP-FPM — interpreter-level security, blocks dangerous PHP functions even if a plugin gets exploited. See the Snuffleupagus tutorial.
  • Rate limiting on /wp-login.php and /xmlrpc.php — see the NGINX rate limiting guide.

All three are apt install away on Trixie with the myguard packages enabled.

Performance Defaults Worth Knowing

The myguard NGINX on Debian 13 Trixie is built with:

  • jemalloc — lower memory fragmentation under high connection churn.
  • zlib-ng — drop-in zlib replacement, measurably faster gzip on modern CPUs.
  • kTLS via openssl-nginx — TLS encryption offloaded to the kernel, faster TLS-heavy workloads.
  • io_uring support in the build (kernel decides whether to use it).
  • HTTP/3 and QUIC baked in — no patches, no third-party builds.

Pair NGINX with our dedicated openssl-nginx OpenSSL build and you have a TLS stack that scores A+ on SSL Labs with one paste.

Angie as an Alternative on Debian 13 Trixie

If you want the same NGINX-compatible config syntax plus a few quality-of-life features (native ACME, JSON status API, dynamic upstreams), Angie is a free NGINX fork from the original NGINX developers. Available as a Debian package from the myguard repository: sudo apt install angie. Every config snippet in this guide works under Angie unchanged.

Verifying the Install

# Confirm NGINX is from the myguard repository
apt-cache policy nginx | head -10

# Confirm modules are loaded
nginx -V 2>&1 | tr ' ' '\n' | grep module

# Confirm HTTP/3 support is compiled in
nginx -V 2>&1 | grep -i quic

# Confirm OpenSSL version
nginx -V 2>&1 | grep -i openssl

Common Trixie Gotchas

  • PHP socket path changed — Trixie uses /run/php/php8.4-fpm.sock; old configs pointing at /var/run/php/php8.3-fpm.sock need updating.
  • UFW does not allow UDP/443 by default — HTTP/3 will silently fall back to HTTP/2 unless you sudo ufw allow 443/udp.
  • systemd-resolved is enabled by default — if you point NGINX at 127.0.0.53 as a DNS resolver, it works, but be aware of the indirection.
  • Default file descriptor limit is higher in Trixie — you usually do not need worker_rlimit_nofile unless you are serving past 30k concurrent connections per worker.

Frequently Asked Questions

Is the default Debian 13 Trixie NGINX package good enough for production?

For static sites and basic reverse proxying — yes. For anything wanting HTTP/3, ModSecurity v3, Brotli or zstd compression, post-quantum TLS, or the OpenResty Lua stack, the default package falls short. The myguard NGINX packages on Debian 13 Trixie ship all of those compiled in as dynamic modules.

What PHP version is in Debian 13 Trixie?

PHP 8.4 by default. PHP 8.5 is available from external repositories (myguard, sury.org, etc.) if you want the latest. Trixie’s PHP-FPM works out of the box with the NGINX configurations in this guide — just point fastcgi_pass at /run/php/php8.4-fpm.sock.

Does Debian 13 Trixie support HTTP/3?

Yes — the kernel is recent enough (6.11+) and OpenSSL 3.3 in the base system supports QUIC. You still need an NGINX build with the http_v3_module compiled in. The myguard NGINX packages on Trixie include HTTP/3 by default; Debian’s stock nginx package does not.

Can I run multiple PHP versions on Debian 13 Trixie?

Yes. PHP-FPM packages on Trixie coexist cleanly — install php8.4-fpm and php8.5-fpm side by side, give each its own pool config, point different NGINX server blocks at different sockets. Useful for legacy WordPress installs that have not been updated yet.

Should I use Trixie or Bookworm in 2026?

Trixie — it is the current stable release with a five-year support window. Bookworm is still supported but the components (kernel, OpenSSL, PHP) are getting old. For a fresh server install in 2026, start on Trixie. If you are already running Bookworm and it works, the upgrade is not urgent — see our Debian 13 Trixie upgrade guide for the migration.

Where does Debian 13 Trixie NGINX log to?

By default access logs go to /var/log/nginx/access.log and error logs to /var/log/nginx/error.log. With systemd journal enabled, the NGINX service also writes to journalctl -u nginx. Both can be tailed live; check journalctl -u nginx -f for service-level events and /var/log/nginx/error.log for HTTP-level errors.

Are the myguard NGINX packages compatible with other Debian repositories?

Yes — the packages use the same conf.d structure and module loading as the Debian stock NGINX. They co-exist with PHP packages from sury.org, with the Debian backports archive, and with most other Debian repositories. The only thing they replace is the nginx package itself.

Related Posts