hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-11-02 23:36:33 +00:00
Code Issues Projects Releases Wiki Activity
Files
9baa09176e5cf24e3af52453b797bae6c6f7d061
dockerfiles/boring-nginx/README.md

3.0 KiB
Raw Blame History

hoellen/boring-nginx

What is this?

This is nginx statically linked against BoringSSL, with embedded Brotli support.

Features

  • Thanks to Wonderfall
  • Based on Alpine Linux.
  • nginx built against BoringSSL with SSE/SHA, and AVX2 SIMD-instructions.
  • TLS 1.3 patch : use of TLS 1.3 DRAFT is enforced (haven't found another way yet).
  • Built using hardening gcc flags.
  • Dynamic TLS records patch (cloudflare).
  • TTP/2 (+NPN) support.
  • Brotli compression support (and configured).
  • No root master process.
  • AIO Threads support.
  • No unnessary modules (except fastcgi).
  • PCRE-jit enabled.
  • Strong configurations included.
  • Anonymous webserver signature (headers-more).
  • ngxpasswd : generates a htpasswd file.
  • ngxproxy : generates a proxy virtual host file.

Notes

  • It is required to change the listen directive to 8000/4430 instead of 80/443.
  • Linux 3.17+, and the latest Docker stable are recommended.
  • BoringSSL is naming ECDH curves differently, some modifications will be required if you want to use your own SSL/TLS config file. For example, secp384r1 (OpenSSL, LibreSSL) is P-384 (BoringSSL). BoringSSL does support multiple curves with its implementation of SSL_CTX_set1_curves_list(), an example is provided in the default /etc/nginx/confssl_params. X25519 is actually the safest curve you can use so it should be the first curve in your list.
  • BoringSSL can use cipher groups : a group is defined by brackets and ciphers are separated by | like this : [cipher1|cipher2|cipher3]. Ciphers in a group are considered equivalent on the server-side and let the client decide which cipher is the best. This can be useful when using ChaCha20, because AES remains faster than ChaCha20 on AES-NI devices.

Volumes

  • /sites-enabled : vhosts files (*.conf)
  • /conf.d : additional configuration files
  • /certs : SSL/TLS certificates
  • /var/log/nginx : nginx logs
  • /passwds : authentication files
  • /www : put your websites there

Build-time variables

  • NGINX_VERSION : version of nginx
  • GPG_NGINX : fingerprint of signing key package
  • BUILD_CORES : number of cores used during compilation

Environment variables

  • GID : nginx group id (default : 991)
  • UID : nginx user id (default : 991)

How to use it?

https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration

You can use ngxproxy to generate a vhost through an easy process : docker exec -ti nginx ngxproxy. ngxpasswd can generate htpasswd files : docker exec -ti nginx ngxpasswd. Both utilites are interactive so you won't feel lost.

Some configuration files located in /etc/nginx/conf are already provided, you can use them with the include directive.

  • ssl_params : Provides a nice balance between compatibility and security.
  • headers_params : HSTS (+ preload), XSS protection, etc.
  • proxy_params : use with proxy_pass.
Reference in New Issue View Git Blame Copy Permalink