This lets you run nginx as a normal user and still receive connections on port 80 and 443. Setup nginx to listen to port 8080 for http and 8443 for https.

nginx.firewall.plist

<!-- https://gist.github.com/stefansundin/f0ad99195333480157ce67e97c8d28c7

UPDATE:
This is not actually necessary, as you can use the following commands to allow nginx to bind to privileged ports:

 $ sudo chown root:wheel /usr/local/opt/nginx/bin/nginx
 $ sudo chmod u+s /usr/local/opt/nginx/bin/nginx



Forward port 80 to port 8080 and 443 to 8443 so that you can run nginx as a normal user.
Save to: /Library/LaunchDaemons/nginx.firewall.plist

Install:
sudo curl -L -o /Library/LaunchDaemons/nginx.firewall.plist https://gist.githubusercontent.com/stefansundin/f0ad99195333480157ce67e97c8d28c7/raw/nginx.firewall.plist
sudo launchctl load -Fw /Library/LaunchDaemons/nginx.firewall.plist

Uninstall:
sudo launchctl unload /Library/LaunchDaemons/nginx.firewall.plist
sudo rm /Library/LaunchDaemons/nginx.firewall.plist
sudo pfctl -a "com.apple/250.NginxHttpFirewall" -F all
sudo pfctl -a "com.apple/250.NginxHttpsFirewall" -F all

Inspired by pow.cx firewall: https://github.com/basecamp/pow
-->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>nginx.firewall</string>
  <key>RunAtLoad</key>
  <true/>
  <key>UserName</key>
  <string>root</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>
      sysctl -w net.inet.ip.forwarding=1;
      echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.1 port 8080" | pfctl -a "com.apple/250.NginxHttpFirewall" -Ef -
      echo "rdr pass proto tcp from any to any port {443,8443} -> 127.0.0.1 port 8443" | pfctl -a "com.apple/250.NginxHttpsFirewall" -Ef -
    </string>
  </array>
</dict>
</plist>