How to Install Nginx Mainline on Debian (13, 12, 11)

Nginx Mainline is the upstream branch to use when Debian’s default package sources are too far behind for the HTTP, TLS, or reverse-proxy features you need. You can install Nginx Mainline on Debian 13, 12, and 11 from the official nginx.org repository, pin it above the default APT sources, and keep later updates on that upstream package track.

Nginx is a web server and reverse proxy, and the mainline branch is the faster-moving upstream package line. The same repository also provides the slower upstream stable branch if you want a more conservative update pace without dropping back to Debian’s default package versions.

On this page hide

Install Nginx Mainline on Debian

Compare Nginx Mainline, Stable, and Debian Packages on Debian

Manage Nginx Mainline on Debian

Troubleshoot Nginx Mainline on Debian

Remove Nginx Mainline from Debian

Nginx Mainline on Debian FAQ

Conclusion

Install Nginx Mainline on Debian

The nginx.org repository works on Debian 13, 12, and 11. Debian desktop installs may already include some supporting packages, but server, cloud, and minimal images often do not, which is why this section starts with prerequisites.

Update Debian Before Installing Nginx Mainline

Refresh your package metadata and apply pending upgrades before you add the nginx.org repository.

sudo apt update && sudo apt upgrade -y

This guide uses sudo for commands that need root privileges. If your account does not have sudo access yet, follow the guide to add a user to sudoers on Debian before you continue.

Install Nginx Mainline Prerequisites on Debian

Install the packages needed to download the signing key and trust HTTPS APT sources.

sudo apt install ca-certificates curl gpg -y

Import the Nginx Mainline Signing Key on Debian

Download the nginx.org signing key and store it in a dedicated APT keyring so package signatures are checked against the correct source.

curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg

Verify that the keyring contains the nginx.org signing keys before you add the repository.

gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

pub   rsa4096 2024-05-29 [SC]
      8540A6F18833A80E9C1653A42FD21310B49F6B46
uid                      nginx signing key <signing-key-2@nginx.com>

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

Add the Nginx Mainline Repository on Debian

Write a DEB822 .sources file for the mainline repository. This command reads your Debian codename from /etc/os-release, detects the installed CPU architecture, and writes the file with sudo tee because a plain > redirection would still run as your unprivileged shell.

CODENAME=$(. /etc/os-release && echo "$VERSION_CODENAME")
ARCH=$(dpkg --print-architecture)

printf '%s\n' \
'Types: deb' \
'URIs: https://nginx.org/packages/mainline/debian' \
"Suites: ${CODENAME}" \
'Components: nginx' \
"Architectures: ${ARCH}" \
'Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg' | sudo tee /etc/apt/sources.list.d/nginx.sources > /dev/null

The VERSION_CODENAME value becomes trixie, bookworm, or bullseye automatically, and dpkg --print-architecture writes the matching architecture such as amd64.

To use the upstream stable branch instead of mainline, change the URIs line to https://nginx.org/packages/debian and keep the rest of the file the same.

Configure APT Pinning for Nginx Mainline on Debian

Update APT so Debian sees the new repository, then confirm the repository metadata and pin it above Debian’s default package sources.

sudo apt update

Get:4 https://nginx.org/packages/mainline/debian trixie InRelease [3,285 B]
Get:5 https://nginx.org/packages/mainline/debian trixie/nginx amd64 Packages [19.0 kB]

Confirm the repository advertises the expected Origin value before you write the pin file.

grep -h '^Origin:' /var/lib/apt/lists/*nginx*_InRelease

Origin: nginx

Create the APT preference file after you verify that Origin string.

printf '%s\n' 'Package: *' 'Pin: release o=nginx' 'Pin-Priority: 900' | sudo tee /etc/apt/preferences.d/99nginx > /dev/null

Verify the Nginx Mainline Repository on Debian

Check the candidate version before you install anything so you know APT is preferring nginx.org over Debian’s default package source.

apt-cache policy nginx

nginx:
  Installed: (none)
  Candidate: 1.29.6-1~trixie
  Version table:
     1.29.6-1~trixie 900
        900 https://nginx.org/packages/mainline/debian trixie/nginx amd64 Packages
     1.26.3-3+deb13u2 500
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages

On Debian 12, the same check currently shows 1.29.6-1~bookworm from nginx.org versus 1.22.1-9+deb12u4 from the default APT sources. On Debian 11, it shows 1.29.6-1~bullseye versus 1.18.0-6.1+deb11u5.

Install Nginx Mainline Packages on Debian

Install the mainline package from nginx.org. On Debian, the nginx binary is installed in /usr/sbin, so a plain nginx -v can return command not found for regular SSH users; use sudo nginx -v for the version check.

sudo apt install nginx -y

sudo nginx -v

nginx version: nginx/1.29.6

Enable and Start Nginx Mainline on Debian

Enable the service at boot, then start it immediately. This explicit two-command flow works cleanly on Debian 13, 12, and 11.

sudo systemctl enable nginx
sudo systemctl start nginx

Verify that the service is running before you move on to the configuration and HTTP checks.

systemctl status nginx --no-pager

● nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-03-12 08:18:41 AWST; 12ms ago
       Docs: https://nginx.org/en/docs/
    Process: 3160 ExecStart=/usr/sbin/nginx -c ${CONFFILE} (code=exited, status=0/SUCCESS)
   Main PID: 3162 (nginx)
      Tasks: 7 (limit: 6930)
     Memory: 5.9M (peak: 6.2M)

Debian 12 and 11 show the same active (running) state, even though the unit path line may appear as /lib/systemd/system/nginx.service on older releases.

Test the Nginx Mainline Configuration on Debian

Run the syntax check first, then make sure the default page responds on the local web server address.

sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

curl -I http://127.0.0.1

HTTP/1.1 200 OK
Server: nginx/1.29.6
Date: Thu, 12 Mar 2026 00:19:20 GMT
Content-Type: text/html
Content-Length: 896

Compare Nginx Mainline, Stable, and Debian Packages on Debian

As of March 2026, nginx.org lists mainline 1.29.6 and stable 1.28.2. Debian’s default APT sources currently provide 1.26.3 on Debian 13, 1.22.1 on Debian 12, and 1.18.0 on Debian 11.

Package Track	Current Line	Update Pace	Best For
nginx.org Mainline	1.29.6	Fastest upstream branch	New features, newer protocol work, earlier upstream fixes
nginx.org Stable	1.28.2	Slower upstream branch	Conservative upstream deployments that still want nginx.org packages
Debian default APT sources	1.26.3 / 1.22.1 / 1.18.0	Debian security and release cadence	Distro-managed packages and the least change between updates

Mainline is the better fit when you want upstream changes first and are comfortable following a faster release cadence. For nginx.org packaging with a slower branch, change the repository URI to the stable path and keep the rest of the workflow the same.

Manage Nginx Mainline on Debian

Once Nginx Mainline is installed, these are the commands you will use most often for day-to-day administration.

Reload Nginx Mainline on Debian

Reload the service after routine configuration changes when you want new worker processes to pick up the config without dropping active connections.

sudo systemctl reload nginx

Restart Nginx Mainline on Debian

Restart the service after binary upgrades or when a reload does not clear the problem you are working on.

sudo systemctl restart nginx

Update Nginx Mainline on Debian

Use a single-package upgrade when you want to update Nginx without upgrading the rest of the system at the same time.

sudo apt update && sudo apt install --only-upgrade nginx -y

Reading package lists...
Building dependency tree...
Reading state information...
nginx is already the newest version (1.29.6-1~trixie).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Check Nginx Mainline File Locations on Debian

The nginx.org packages use the upstream directory layout, so server blocks live in /etc/nginx/conf.d/ by default instead of Debian’s usual sites-available and sites-enabled pattern.

/etc/nginx/nginx.conf stores the main Nginx configuration.
/etc/nginx/conf.d/ is where nginx.org packages expect your site and reverse-proxy snippets.
/usr/share/nginx/html/ is the default web root for the welcome page.
/var/log/nginx/access.log and /var/log/nginx/error.log store request and error data.

If you prefer the Debian symlink workflow, add your own include /etc/nginx/sites-enabled/*.conf; line to nginx.conf first. The stock nginx.org configuration only includes /etc/nginx/conf.d/*.conf.

Troubleshoot Nginx Mainline on Debian

These checks cover the most common problems you are likely to hit right after installation or the first time you change the configuration.

Fix the Nginx Reload Error on Debian

If you try to reload Nginx before the service is running, systemd returns a direct error instead of re-reading the configuration.

nginx.service is not active, cannot reload.

Check the syntax first, then start the service and confirm that it is active before you try another reload.

sudo nginx -t
sudo systemctl start nginx
systemctl status nginx --no-pager

● nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-03-12 08:18:41 AWST; 12ms ago

Fix Port 80 Conflicts for Nginx on Debian

If another service already owns port 80, Nginx cannot bind to it and the unit will fail to start.

sudo ss -ltnp | grep ':80 '

LISTEN 0      5            0.0.0.0:80        0.0.0.0:*    users:(("python3",pid=3925,fd=3))

Stop or reconfigure the service that owns the port, then start Nginx again and check the journal if it still fails.

sudo systemctl start nginx
sudo journalctl -u nginx -n 6 --no-pager

Mar 12 08:21:24 debian-13 nginx[3933]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Mar 12 08:21:25 debian-13 nginx[3933]: nginx: [emerg] still could not bind()
Mar 12 08:21:25 debian-13 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Mar 12 08:21:25 debian-13 systemd[1]: Failed to start nginx.service - nginx - high performance web server.

Check Nginx Mainline Health on Debian

When the service is running but requests still fail, repeat the syntax check and test the local HTTP response so you can separate configuration problems from browser or firewall issues.

sudo nginx -t
curl -I http://127.0.0.1

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
HTTP/1.1 200 OK
Server: nginx/1.29.6

Remove Nginx Mainline from Debian

Removing the nginx.org package is straightforward, but purge it only after you back up any custom server blocks, TLS files, or reverse-proxy snippets you still need. On the default package layout, apt remove --purge removes /etc/nginx/ completely on Debian 13, 12, and 11.

Remove Nginx Mainline Packages from Debian

Stop the service first, then purge the installed packages and any unused dependencies.

sudo systemctl stop nginx
sudo systemctl disable nginx
sudo apt remove --purge nginx nginx-common -y
sudo apt autoremove -y

Remove the Nginx Mainline Repository from Debian

Delete the nginx.org source file, its APT pin, and the signing key so Debian returns to the default package sources.

sudo rm -f /etc/apt/sources.list.d/nginx.sources
sudo rm -f /etc/apt/preferences.d/99nginx
sudo rm -f /usr/share/keyrings/nginx-archive-keyring.gpg
sudo apt update

Verify Nginx Mainline Removal on Debian

Run the policy check one more time after sudo apt update so the package cache reflects the cleaned repository list.

apt-cache policy nginx

nginx:
  Installed: (none)
  Candidate: 1.26.3-3+deb13u2
  Version table:
     1.26.3-3+deb13u2 500
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages
     1.26.3-3+deb13u1 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages

Debian 12 and 11 show their own default APT versions in the Candidate field, but the key removal signal is the same on every release: Installed: (none) and no nginx.org entries left in the Version table.

Nginx Mainline on Debian FAQ

What is the difference between Nginx mainline and stable on Debian?

Mainline gets new upstream features and fixes first, while stable moves more slowly and backports selected fixes from mainline. As of March 2026, nginx.org lists mainline at 1.29.6 and stable at 1.28.2.

What version of Nginx does Debian install by default?

Debian’s default APT sources currently provide 1.26.3 on Debian 13, 1.22.1 on Debian 12, and 1.18.0 on Debian 11. The nginx.org mainline repository currently provides 1.29.6 on all three supported releases.

Do I need to restart or reload Nginx after changing the configuration on Debian?

Check the configuration first with sudo nginx -t. Use sudo systemctl reload nginx for normal config changes, and use sudo systemctl restart nginx after binary upgrades or when a reload does not clear the problem.

Why does the Nginx version command return command not found on Debian?

The binary is installed at /usr/sbin/nginx, and that path is often missing from a regular user’s SSH PATH. Use sudo nginx -v or call /usr/sbin/nginx -v directly.

Conclusion

Nginx Mainline is now running on Debian from the official nginx.org repository, with APT pinning keeping future updates on the upstream package line. When you are ready to build on that base, secure Nginx with Let’s Encrypt on Debian, enable gzip compression in Nginx, or install Fail2Ban on Debian.