// Angie modules optimized & extended

Angie modules optimized & extended

Current version: 1.11.6 (last built: 2026-05-27)

Sub-packages: 9 core + 100 modules (109 binary packages) · Patches: 7 · Distros: Debian bullseye / bookworm / trixie, Ubuntu jammy / noble / resolute

What is Angie?

Angie is a high-performance web server forked from NGINX by the original core NGINX developers. It is a true drop-in replacement — compatible with all NGINX configuration syntax — while adding features NGINX mainline hasn’t shipped yet: native ACME/Let’s Encrypt, a rich JSON status API, and active development by its original authors.

Our packages are built with the exact same optimizations and dynamic module set as our NGINX stack — same performance tuning, same security hardening, just swap the binary.

Why choose Angie?

  • Built by the original NGINX core developers
  • Native ACME/Let’s Encrypt — no Certbot needed (deep dive)
  • Rich JSON status API at /status — connections, upstreams, caches, SSL stats
  • 100% NGINX config compatible — no migration needed
  • Linked against OpenSSL-NGINX, HTTP/3 QUIC, -Ofast -flto, zlib-ng, kTLS, TFO

See also: Angie vs NGINX feature comparison

Installation

See the How to use page to add the repository. Migrating from NGINX? Your /etc/nginx/ config works as-is.

Applied patches

The patch series applied to every Angie build (in order):

  1. 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch – keeps the Server: response header and nginx -v output identical across the whole package matrix, so client fingerprints don’t drift between distros or rebuilds.
  2. 1.30.0-zlib-ng.patch – teaches nginx’s gzip filter about zlib-ng in native mode, so the package links against the faster compressor without breaking ABI for callers expecting classic zlib.
  3. nginx_dynamic_tls_records.patch – enables the Cloudflare dynamic TLS record sizing logic so the first byte of TLS payload arrives in a single packet, cutting time-to-first-byte over the wire.
  4. nginx-ssl_cert_cb_yield.patch – lets Lua handlers yield (cosocket calls, sleeps, redis lookups…) from inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks; required for any non-trivial dynamic-certificate setup.
  5. http2-ktls-lingering-close-eio.patch – silences the spurious SSL_read() failed (EIO) alert that mainline emits when an HTTP/2 client closes a kTLS connection during lingering-close; cosmetic only, but it filled error logs.
  6. openssl-4-compat.patch – Backported patches into openssl-4-compat.patch so the build works against OpenSSL 4 while still compiling cleanly on systems that ship OpenSSL 3.
  7. myguard-branding.patch – final branding sweep: replaces vendor strings and tweaks the default error pages so packaged installs identify as nginx only, not nginx (Debian) or nginx (Ubuntu).

Bundled support libraries

Upstream libraries vendored into the build and linked into specific modules. Not loadable as nginx modules themselves; listed for transparency.

  • libinjection – SQL injection and XSS detection library. Bundled because the http-waf module links against it for its pattern-matching engine.
  • quickjs-ng – Maintained fork of the QuickJS JavaScript engine. Compiled and staged at build time so the njs dynamic module can be linked against the QuickJS engine instead of njs’s older bundled interpreter.

Module usage examples

See the module usage examples page for ModSecurity, GeoIP2, Brotli, Lua, rate limiting and more.

All dynamic modules

All modules ship as angie-module-* packages. Load them with load_module modules/ngx_*.so; at the top of your config.

Security & WAF modules

Authentication modules

Compression modules

Geo-location & analytics modules

Access control & rate limiting modules

Cache management modules

Lua & scripting modules

Headers & response manipulation modules

Static serving & WebDAV modules

Streaming & real-time modules

Upstream & load balancing modules

Other modules

  • angie-module-http-limit-traffic-rate – Nginx directive limit_rate could limit connection’s speed, and limit_conn could limit connection number by given variable.
  • angie-module-http-push-stream – (description pending)
  • angie-module-http-upstream-log – The ngx_http_upstream_log_module module writes upstream request logs in the specified format, like ngx_http_log_module.
  • angie-module-http-var – ngx_http_var_module is a nginx module that dynamically assigns new variables through predefined functions.
  • angie-module-ssl-ct – (description pending)
  • angie-module-njs – NGINX JavaScript — built against QuickJS-NG instead of njs’s native interpreter, so the language surface is full ES2023 (real async/await, BigInt, Proxy, ES modules, modern regex, Intl) for js_set / js_content / js_periodic scripting.

Patches (7 total)

The complete patch series applied to every angie build on this repository, in the exact order Debian packaging applies them (debian/patches/series):

  1. 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch — keeps the Server: response header and angie -v output identical across the whole package matrix, so client fingerprints don’t drift between distros or rebuilds.
  2. 1.30.0-zlib-ng.patch — teaches Angie’s gzip filter about zlib-ng in native mode, so the package links against the faster compressor without breaking ABI for callers expecting classic zlib.
  3. nginx_dynamic_tls_records.patch — enables Cloudflare’s dynamic TLS record sizing logic so the first byte of TLS payload arrives in a single packet, cutting time-to-first-byte over the wire.
  4. nginx-ssl_cert_cb_yield.patch — lets Lua handlers yield (cosocket calls, sleeps, redis lookups…) from inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks; required for any non-trivial dynamic-certificate setup.
  5. http2-ktls-lingering-close-eio.patch — silences the spurious SSL_read() failed (EIO) alert that mainline emits when an HTTP/2 client closes a kTLS connection during lingering-close.
  6. openssl-4-compat.patch — compatibility shims so Angie builds and links cleanly against openssl-nginx 4.x (deprecated APIs removed in OpenSSL 4).
  7. myguard-branding.patch — final branding sweep: replaces vendor strings and tweaks the default error pages so packaged installs identify as angie only, not angie (Debian) or angie (Ubuntu).

Build optimizations (2026)

  • Linked against OpenSSL-NGINX — dedicated OpenSSL 3.5 built for webservers: kTLS offload, ec_nistp_64_gcc_128, RDRAND hardware entropy, no legacy ciphers or bloat
  • TLS 1.3 + kTLS kernel TLS offload (ssl_conf_command Options KTLS;)
  • HTTP/3 QUIC support enabled
  • Compiled with -Ofast -flto=auto for maximum performance
  • Linked against zlib-ng in native mode (SIMD-accelerated compression)
  • jemalloc, TCP Fast Open, AIO threading support

Not included in our Angie build (and why)

Angie differs from our NGINX stack on these points:

  • Certbot/ACME patches not needed — Angie includes native ACME/Let’s Encrypt support natively in the core. No external patches required. Use acme { ... } directives directly in nginx.conf.
  • Fewer Debian compatibility patches — NGINX requires multiple Debian patches (pidfile race condition fixes, symbol signature patches for ABI stability). Angie has these issues fixed upstream since it’s actively maintained by the original NGINX developers.
  • No proxy-connect patch needed — NGINX requires ngx_http_proxy_connect_module to support HTTP CONNECT tunneling. Angie already implements native CONNECT method support in the core, making the patch incompatible and unnecessary.

Supported distributions

  • Debian Trixie (13), Bookworm (12), Bullseye (11)
  • Ubuntu Resolute (26.04), Noble (24.04), Jammy (22.04)

Docker

Daily-rebuilt images on Docker Hub (eilandert). See the Docker page.

Post-Quantum Cryptography (PQC) ready

Angie from this repository is compiled against openssl-nginx 3.5, which ships ML-KEM (FIPS 203) as a stable algorithm. Add one directive to enable hybrid post-quantum key exchange for Chrome, Firefox, and Edge today:

ssl_ecdh_curve X25519MLKEM768:x25519:secp256r1:secp384r1;

Clients that support X25519MLKEM768 negotiate a hybrid X25519 + ML-KEM-768 handshake automatically. Clients that do not support it fall back to classical groups unchanged. See the Post-Quantum TLS configuration guide for the full setup, verification steps, and FAQ.

Related deep-dives

The modules and patches above are documented in detail across the rest of the site. Read these for the why and how, not just the what.

Angie itself

TLS, HTTP/3 and OpenSSL

Compression

Security, WAF and hardening

Scripting (Lua and NJS)

Performance, benchmarks and operations

History, deprecations and releases

Mail, PHP and other packaged software

History and background

Report issues

Open an issue at github.com/eilandert/deb.myguard.nl.