// Angie Web Server for Debian & Ubuntu — the Maintained NGINX Fork

deb.myguard.nl · drop-in NGINX replacement

Angie web server for Debian & Ubuntu

The maintained NGINX fork by its original core devs, packaged for apt — native ACME/Let’s Encrypt, a JSON status API, HTTP/3 (QUIC), and the same hardening + 101 dynamic modules as our NGINX stack. Your /etc/nginx/ config works unchanged.

Current version:1.11.8
Last built:2026-06-20
Modules shipped:102 dynamic + 11 libraries

Want a maintained NGINX fork you can apt install on Debian or Ubuntu and point at your existing config? That is what these Angie packages are. After F5 acquired NGINX, mainline development slowed and several long-requested features never landed; Angie is the answer from the people who wrote NGINX in the first place — same engine, same config language, actively shipped.

Because Angie is a true drop-in, migrating is one command, not a rewrite: install angie, keep /etc/nginx/, restart. You get the features NGINX never shipped (automatic ACME certificates, a live JSON status API) on top of the identical hardened build, OpenSSL-NGINX, HTTP/3 and dynamic-module set documented below. New to Angie? Start with the Angie vs NGINX complete guide.

What is Angie?

Angie is a high-performance web server forked from NGINX by the original core NGINX developers. It is a true drop-in replacement — compatible with all NGINX configuration syntax — while adding features NGINX mainline hasn’t shipped yet: native ACME/Let’s Encrypt, a rich JSON status API, and active development by its original authors.

Our packages are built with the exact same optimizations and dynamic module set as our NGINX stack — same performance tuning, same security hardening, just swap the binary.

Why choose Angie?

  • Built by the original NGINX core developers
  • Native ACME/Let’s Encrypt — no Certbot needed (deep dive)
  • Rich JSON status API at /status — connections, upstreams, caches, SSL stats
  • 100% NGINX config compatible — no migration needed
  • Linked against OpenSSL-NGINX, HTTP/3 QUIC, -Ofast -flto, zlib-ng, kTLS, TFO

See also: Angie vs NGINX feature comparison

Installation

See the How to use page to add the repository. Migrating from NGINX? Your /etc/nginx/ config works as-is.

Applied patches

The patch series applied to every Angie build (in order):

  1. 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch – keeps the Server: response header and nginx -v output identical across the whole package matrix, so client fingerprints don’t drift between distros or rebuilds.
  2. 1.30.0-zlib-ng.patch – teaches nginx’s gzip filter about zlib-ng in native mode, so the package links against the faster compressor without breaking ABI for callers expecting classic zlib.
  3. nginx_dynamic_tls_records.patch – enables the Cloudflare dynamic TLS record sizing logic so the first byte of TLS payload arrives in a single packet, cutting time-to-first-byte over the wire.
  4. nginx-ssl_cert_cb_yield.patch – lets Lua handlers yield (cosocket calls, sleeps, redis lookups…) from inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks; required for any non-trivial dynamic-certificate setup.
  5. myguard-branding.patch – final branding sweep: replaces vendor strings and tweaks the default error pages so packaged installs identify as nginx only, not nginx (Debian) or nginx (Ubuntu).
  6. ssl-fingerprint.patch – Captures the raw ClientHello in nginx core and exposes the fp_* fields on ngx_ssl_connection_s that the libnginx-mod-ssl-fingerprint module reads to compute JA3/JA4. Inert unless that module is built. Directive reference →

Standalone libraries provided

Upstream libraries built and shipped alongside the modules. Not loadable as nginx/angie modules themselves; listed for transparency.

  • libmodsecurity3 – v3 library component used by the nginx connector.
  • libcoraza – C/Go WAF engine linked by angie-module-http-coraza; runs SecLang/OWASP CRS rules as a ModSecurity v3 replacement.
  • modsecurity-crs – OWASP ModSecurity Core Rule Set.
  • libjemalloc2 – jemalloc allocator, built specifically for NGINX (use the one from this repo).
  • libz-ng2 – next-generation zlib data-compression library (native mode).
  • lua-resty – bundle of the most-used Lua modules for libnginx-mod-http-lua.
  • lua-resty-core – FFI-based Lua API for ngx_http_lua_module / ngx_stream_lua_module (OpenResty).
  • lua-resty-lrucache – Lua-land LRU cache based on the LuaJIT FFI (OpenResty).
  • openssl-nginx – dedicated OpenSSL build tuned for nginx (kTLS, QUIC, leaner crypto defaults).
  • PSOL – Page Speed Optimisation Library, per-distro builds for ngx_pagespeed.
  • libinjection – SQL injection and XSS detection library, linked into the http-waf module’s pattern-matching engine.
  • quickjs-ng – maintained fork of the QuickJS JavaScript engine, staged at build time so the njs module links against it instead of njs’s older bundled interpreter.

Module usage examples

See the module usage examples page for ModSecurity, GeoIP2, Brotli, Lua, rate limiting and more.

All dynamic modules

All modules ship as angie-module-* packages. Load them with load_module modules/ngx_*.so; at the top of your config.

Security & WAF modules

Authentication modules

Compression modules

Geo-location & analytics modules

Access control & rate limiting modules

Cache management modules

Lua & scripting modules

Headers & response manipulation modules

Static serving & WebDAV modules

Streaming & real-time modules

Upstream & load balancing modules

TLS & fingerprinting modules

Other modules

  • angie-module-http-autocert – Automatic TLS certificates for NGINX — built into the server.
  • angie-module-http-limit-traffic-rate – Nginx directive limit_rate could limit connection’s speed, and limit_conn could limit connection number by given variable.
  • angie-module-http-push-stream – (description pending)
  • angie-module-http-upstream-log – The ngx_http_upstream_log_module module writes upstream request logs in the specified format, like ngx_http_log_module.
  • angie-module-http-var – ngx_http_var_module is a nginx module that dynamically assigns new variables through predefined functions.
  • angie-module-ssl-ct – (description pending)
  • angie-module-njs – NGINX JavaScript — built against QuickJS-NG instead of njs’s native interpreter, so the language surface is full ES2023 (real async/await, BigInt, Proxy, ES modules, modern regex, Intl) for js_set / js_content / js_periodic scripting.
  • angie-module-http-otel – OpenTelemetry (OTel) is an observability framework for monitoring, tracing, troubleshooting, and optimizing applications.

Patches (7 total)

The complete patch series applied to every angie build on this repository, in the exact order Debian packaging applies them (debian/patches/series):

  1. 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch — keeps the Server: response header and angie -v output identical across the whole package matrix, so client fingerprints don’t drift between distros or rebuilds.
  2. 1.30.0-zlib-ng.patch — teaches Angie’s gzip filter about zlib-ng in native mode, so the package links against the faster compressor without breaking ABI for callers expecting classic zlib.
  3. nginx_dynamic_tls_records.patch — enables Cloudflare’s dynamic TLS record sizing logic so the first byte of TLS payload arrives in a single packet, cutting time-to-first-byte over the wire.
  4. nginx-ssl_cert_cb_yield.patch — lets Lua handlers yield (cosocket calls, sleeps, redis lookups…) from inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks; required for any non-trivial dynamic-certificate setup.
  5. http2-ktls-lingering-close-eio.patch — silences the spurious SSL_read() failed (EIO) alert that mainline emits when an HTTP/2 client closes a kTLS connection during lingering-close.
  6. openssl-4-compat.patch — compatibility shims so Angie builds and links cleanly against openssl-nginx 4.x (deprecated APIs removed in OpenSSL 4).
  7. myguard-branding.patch — final branding sweep: replaces vendor strings and tweaks the default error pages so packaged installs identify as angie only, not angie (Debian) or angie (Ubuntu).

Build optimizations (2026)

  • Linked against OpenSSL-NGINX — dedicated OpenSSL 3.5 built for webservers: kTLS offload, ec_nistp_64_gcc_128, RDRAND hardware entropy, no legacy ciphers or bloat
  • TLS 1.3 + kTLS kernel TLS offload (ssl_conf_command Options KTLS;)
  • HTTP/3 QUIC support enabled
  • Compiled with -Ofast -flto=auto for maximum performance
  • Linked against zlib-ng in native mode (SIMD-accelerated compression)
  • jemalloc, TCP Fast Open, AIO threading support

Not included in our Angie build (and why)

Angie differs from our NGINX stack on these points:

  • Certbot/ACME patches not needed — Angie includes native ACME/Let’s Encrypt support natively in the core. No external patches required. Use acme { ... } directives directly in nginx.conf.
  • Fewer Debian compatibility patches — NGINX requires multiple Debian patches (pidfile race condition fixes, symbol signature patches for ABI stability). Angie has these issues fixed upstream since it’s actively maintained by the original NGINX developers.
  • No proxy-connect patch needed — NGINX requires ngx_http_proxy_connect_module to support HTTP CONNECT tunneling. Angie already implements native CONNECT method support in the core, making the patch incompatible and unnecessary.

Supported distributions

  • Debian Trixie (13), Bookworm (12), Bullseye (11)
  • Ubuntu Resolute (26.04), Noble (24.04), Jammy (22.04)

Docker

Daily-rebuilt images on Docker Hub (eilandert). See the Docker page.

Post-Quantum Cryptography (PQC) ready

Angie from this repository is compiled against openssl-nginx 3.5, which ships ML-KEM (FIPS 203) as a stable algorithm. Add one directive to enable hybrid post-quantum key exchange for Chrome, Firefox, and Edge today:

ssl_ecdh_curve X25519MLKEM768:x25519:secp256r1:secp384r1;

Clients that support X25519MLKEM768 negotiate a hybrid X25519 + ML-KEM-768 handshake automatically. Clients that do not support it fall back to classical groups unchanged. See the Post-Quantum TLS configuration guide for the full setup, verification steps, and FAQ.

Frequently asked questions

Is Angie really a drop-in replacement for NGINX?
Yes. Angie is forked from NGINX by its original core developers and keeps full configuration-syntax compatibility. Install the angie package, leave your /etc/nginx/ directory in place, and restart — there is no config rewrite. The same dynamic modules, OpenSSL-NGINX, HTTP/3 and hardening flags as our NGINX build apply.
How do I migrate from NGINX to Angie?
Add the deb.myguard.nl repository, then apt install angie. Angie reads the existing /etc/nginx/ configuration unchanged, so the migration is install + restart. Keep the nginx package removed or masked to avoid two servers fighting over port 443. Roll back by reinstalling nginx — the config is shared.
Does Angie issue Let’s Encrypt certificates without Certbot?
Yes — Angie has native ACME support built in. You declare an ACME client and reference it from a server block, and Angie obtains and renews certificates itself. No Certbot, no cron job, no webroot hooks. See the Angie complete guide for a working vhost.
What is the Angie status API?
Angie ships a rich JSON status API (typically at /status) exposing connections, per-upstream health, cache usage and SSL statistics — far more than NGINX’s stub_status. It is the data source for dashboards and Prometheus exporters without a commercial subscription.
Angie vs NGINX — which should I run?
If you want mainline NGINX with our module set, use the NGINX packages. Choose Angie if you want the same engine plus actively-shipped features (native ACME, JSON status API, on-the-fly upstream config) from the original NGINX authors. Both builds share the same patches, hardening and dynamic modules here, so you can switch either way with one apt command.
Are the same dynamic modules available as the NGINX build?
Yes. Every module is rebuilt for Angie under the angie-module-* name with the same source and patches as the libnginx-mod-* packages, so brotli, zstd, ModSecurity, Coraza, Lua, GeoIP2 and the rest are all available. The full list is in the “All dynamic modules” section above.
Which Debian and Ubuntu releases are supported?
Bullseye, bookworm and trixie on Debian; jammy, noble and resolute on Ubuntu. Each release gets its own Angie build of the server, dynamic modules and standalone libraries, with daily-rebuilt Docker images on Docker Hub.

Related deep-dives

The modules and patches above are documented in detail across the rest of the site. Read these for the why and how, not just the what.

Angie itself

TLS, HTTP/3 and OpenSSL

Compression

Security, WAF and hardening

Scripting (Lua and NJS)

Performance, benchmarks and operations

History, deprecations and releases

Mail, PHP and other packaged software

History and background

Report issues

Open an issue at github.com/eilandert/deb.myguard.nl.