hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-20 04:19:18 +00:00
Code Issues Projects Releases Wiki Activity
dockerfiles/boring-nginx
History
Wonderfall a21a6dc875 boring_nginx: remove spdy from vhost sample
2017-01-18 03:46:19 +01:00
..
Dockerfile
update boring-nginx to 1.11.8 with tls1.3 patch (#81)
2017-01-15 20:58:40 +01:00
headers_params
nginx: some changes
2016-10-01 17:46:27 +02:00
nginx.conf
nginx: some changes
2016-10-01 17:46:27 +02:00
ngxpasswd
Update ngxpasswd
2016-05-31 16:56:35 +02:00
ngxproxy
boring-nginx: add hsts to ngxproxy
2016-10-15 09:02:18 +02:00
proxy_params
add boring-nginx, based on reverse
2016-05-29 02:09:20 +02:00
README.md
Update README.md
2016-10-11 19:01:16 +02:00
run.sh
boring-nginx: change pid path
2016-09-25 22:13:32 +02:00
ssl_params
update dockerfiles, clean up
2017-01-16 22:13:29 +01:00
tls1.3.patch
update boring-nginx to 1.11.8 with tls1.3 patch (#81)
2017-01-15 20:58:40 +01:00
vhost_http.conf
update ngxpasswd and ngxproxy
2016-05-30 18:10:49 +02:00
vhost_https.conf
boring_nginx: remove spdy from vhost sample
2017-01-18 03:46:19 +01:00

README.md

wonderfall/boring-nginx

What is this?

This is nginx statically linked against BoringSSL, with embedded Brotli support.

Features

  • Based on Alpine Linux.
  • nginx built against BoringSSL.
  • Built using hardening gcc flags.
  • TTP/2 (+NPN) support.
  • Brotli compression support (and configured).
  • No root master process.
  • AIO Threads support.
  • No unnessary modules (except fastcgi).
  • PCRE-jit enabled.
  • Strong configurations included.
  • Anonymous webserver signature (headers-more).
  • ngxpasswd : generates a htpasswd file.
  • ngxproxy : generates a proxy virtual host file.

Notes

  • It is required to change the listen directive to 8000/4430 instead of 80/443.
  • Linux 3.17+, and the latest Docker stable are recommended.
  • BoringSSL is naming ECDH curves differently, some modifications will be required if you want to use your own SSL/TLS config file. For example, secp384r1 (OpenSSL, LibreSSL) is P-384 (BoringSSL). BoringSSL does support multiple curves with its implementation of SSL_CTX_set1_curves_list(), an example is provided in the default /etc/nginx/confssl_params. X25519 is actually the safest curve you can use so it should be the first curve in your list.
  • BoringSSL can use cipher groups : a group is defined by brackets and ciphers are separated by | like this : [cipher1|cipher2|cipher3]. Ciphers in a group are considered equivalent on the server-side and let the client decide which cipher is the best. This can be useful when using ChaCha20, because AES remains faster than ChaCha20 on AES-NI devices.

Volumes

  • /sites-enabled : vhosts files (*.conf)
  • /conf.d : additional configuration files
  • /certs : SSL/TLS certificates
  • /var/log/nginx : nginx logs
  • /passwds : authentication files
  • /www : put your websites there

Build-time variables

  • NGINX_VERSION : version of nginx
  • GPG_NGINX : fingerprint of signing key package
  • BUILD_CORES : number of cores used during compilation

Environment variables

  • GID : nginx group id (default : 991)
  • UID : nginx user id (default : 991)

How to use it?

https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration

You can use ngxproxy to generate a vhost through an easy process : docker exec -ti nginx ngxproxy. ngxpasswd can generate htpasswd files : docker exec -ti nginx ngxpasswd. Both utilites are interactive so you won't feel lost.

Some configuration files located in /etc/nginx/conf are already provided, you can use them with the include directive.

  • ssl_params : Provides a nice balance between compatibility and security.
  • headers_params : HSTS (+ preload), XSS protection, etc.
  • proxy_params : use with proxy_pass.