dockerfiles/boring-nginx/README.md

## hoellen/boring-nginx

![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)

#### What is this?
This is nginx statically linked against BoringSSL, with embedded Brotli support.

#### Features
- Thanks to [Wonderfall](https://github.com/wonderfall/dockerfiles)
- Based on Alpine Linux.
- nginx built against **BoringSSL** with SSE/SHA, and AVX2 SIMD-instructions.
- **TLS 1.3** enabled
- Built using hardening gcc flags.
- Dynamic TLS records patch (cloudflare).
- TTP/2 (+NPN) support.
- Brotli compression support (and configured).
- No root master process.
- AIO Threads support.
- No unnessary modules (except fastcgi).
- PCRE-jit enabled.
- Strong configurations included.
- Anonymous webserver signature (headers-more).
- ngxpasswd : generates a htpasswd file.
- ngxproxy : generates a proxy virtual host file.

#### Notes
- It is required to change the `listen` directive to 8000/4430 instead of 80/443.
- Linux 3.17+, and the latest Docker stable are recommended.
- BoringSSL is naming ECDH curves differently, some modifications will be required if you want to use your own SSL/TLS config file. For example, `secp384r1` (OpenSSL, LibreSSL) is `P-384` (BoringSSL). BoringSSL does support multiple curves with its implementation of `SSL_CTX_set1_curves_list()`, an example is provided in the default `/etc/nginx/confssl_params`. `X25519` is actually the safest curve you can use so it should be the first curve in your list.
- BoringSSL can use cipher groups : a group is defined by brackets and ciphers are separated by `|` like this : `[cipher1|cipher2|cipher3]`. Ciphers in a group are considered equivalent on the server-side and let the client decide which cipher is the best. This can be useful when using ChaCha20, because AES remains faster than ChaCha20 on AES-NI devices.

#### Volumes
- **/sites-enabled** : vhosts files (*.conf)
- **/conf.d** : additional configuration files
- **/certs** : SSL/TLS certificates
- **/var/log/nginx** : nginx logs
- **/passwds** : authentication files
- **/www** : put your websites there

#### Build-time variables
- **NGINX_VERSION** : version of nginx
- **GPG_NGINX** : fingerprint of signing key package
- **BUILD_CORES** : number of cores used during compilation

#### Environment variables
- **GID** : nginx group id *(default : 991)*
- **UID** : nginx user id *(default : 991)*

#### How to use it?
https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration

You can use `ngxproxy` to generate a *vhost* through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost.

Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.

- `ssl_params` : Provides a nice balance between compatibility and security.
- `headers_params` : HSTS (+ preload), XSS protection, etc.
- `proxy_params` : use with `proxy_pass`.
[boring-nginx] update maintainer 2017-12-22 13:02:32 +01:00			`## hoellen/boring-nginx`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`![](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/115px-Nginx_logo.svg.png)`

			`#### What is this?`
boring-nginx: fix build, remove old patches 2016-10-11 18:59:35 +02:00			`This is nginx statically linked against BoringSSL, with embedded Brotli support.`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`#### Features`
[boring-nginx] update maintainer 2017-12-22 13:02:32 +01:00			`- Thanks to [Wonderfall](https://github.com/wonderfall/dockerfiles)`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00			`- Based on Alpine Linux.`
SSE/SHA & AVX1 -> AVX2 (#124) * SIMD-instructions support: AVX1 -> AVX2 * SIMD/SSE instructions for SHA 2017-02-18 19:03:55 +02:00			`- nginx built against BoringSSL with SSE/SHA, and AVX2 SIMD-instructions.`
[boring-nginx] update Dockerfile 2018-04-13 17:32:19 +02:00			`- TLS 1.3 enabled`
boring-nginx: fix build, remove old patches 2016-10-11 18:59:35 +02:00			`- Built using hardening gcc flags.`
boring-nginx: dynamic tls records patch 2017-02-18 20:18:00 +01:00			`- Dynamic TLS records patch (cloudflare).`
boring-nginx: fix build, remove old patches 2016-10-11 18:59:35 +02:00			`- TTP/2 (+NPN) support.`
			`- Brotli compression support (and configured).`
			`- No root master process.`
			`- AIO Threads support.`
			`- No unnessary modules (except fastcgi).`
			`- PCRE-jit enabled.`
			`- Strong configurations included.`
			`- Anonymous webserver signature (headers-more).`
			`- ngxpasswd : generates a htpasswd file.`
			`- ngxproxy : generates a proxy virtual host file.`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`#### Notes`
boring-nginx: update readme 2016-10-01 20:24:41 +02:00			- It is required to change the `listen` directive to 8000/4430 instead of 80/443.
			`- Linux 3.17+, and the latest Docker stable are recommended.`
			- BoringSSL is naming ECDH curves differently, some modifications will be required if you want to use your own SSL/TLS config file. For example, `secp384r1` (OpenSSL, LibreSSL) is `P-384` (BoringSSL). BoringSSL does support multiple curves with its implementation of `SSL_CTX_set1_curves_list()`, an example is provided in the default `/etc/nginx/confssl_params`. `X25519` is actually the safest curve you can use so it should be the first curve in your list.
			- BoringSSL can use cipher groups : a group is defined by brackets and ciphers are separated by `\|` like this : `[cipher1\|cipher2\|cipher3]`. Ciphers in a group are considered equivalent on the server-side and let the client decide which cipher is the best. This can be useful when using ChaCha20, because AES remains faster than ChaCha20 on AES-NI devices.
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`#### Volumes`
			`- /sites-enabled : vhosts files (*.conf)`
			`- /conf.d : additional configuration files`
			`- /certs : SSL/TLS certificates`
			`- /var/log/nginx : nginx logs`
			`- /passwds : authentication files`
Update README.md 2016-05-29 02:39:10 +02:00			`- /www : put your websites there`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`#### Build-time variables`
			`- NGINX_VERSION : version of nginx`
Update README.md 2016-05-29 02:14:20 +02:00			`- GPG_NGINX : fingerprint of signing key package`
Update README.md 2016-10-11 19:01:16 +02:00			`- BUILD_CORES : number of cores used during compilation`
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00
			`#### Environment variables`
			`- GID : nginx group id (default : 991)`
			`- UID : nginx user id (default : 991)`

			`#### How to use it?`
			`https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration`

Update README.md 2016-05-31 23:38:48 +02:00			You can use `ngxproxy` to generate a vhost through an easy process : `docker exec -ti nginx ngxproxy`. `ngxpasswd` can generate htpasswd files : `docker exec -ti nginx ngxpasswd`. Both utilites are interactive so you won't feel lost.
Update README.md 2016-05-30 20:26:02 +02:00
add boring-nginx, based on reverse 2016-05-29 02:09:20 +02:00			Some configuration files located in `/etc/nginx/conf` are already provided, you can use them with the `include` directive.

Update README.md 2016-05-30 20:26:02 +02:00			- `ssl_params` : Provides a nice balance between compatibility and security.
			- `headers_params` : HSTS (+ preload), XSS protection, etc.
			- `proxy_params` : use with `proxy_pass`.