More is not always more. The standard NGINX package comes loaded with modules for mail proxying, XSLT transformations, and image processing — things that 99% of web servers running WordPress or PHP apps will never touch. Those modules sit in memory doing nothing, adding attack surface, costing you binary size for zero benefit.
It’s like buying a Swiss Army knife when all you needed was a chef’s knife. Sure, it has a saw and a magnifying glass. But you’re serving dinner, not surviving the woods.
nginx-minimal is our answer. Same performance-optimised NGINX — HTTP/3, -O3 -flto, jemalloc, zlib-ng, openssl-nginx — but with 12 static modules removed that most deployments never use. Principle of least privilege: run only what you need.
What Does nginx-minimal Remove?
Twelve static modules that are compiled into full NGINX but rarely used in production web serving:
- ngx_mail_module — IMAP/POP3/SMTP proxying. Not a mail server? Gone.
- ngx_stream_module — TCP/UDP load balancing. Most PHP sites don’t need this.
- ngx_http_image_filter_module — on-the-fly image resizing. Use a CDN or Imgproxy instead.
- ngx_http_xslt_filter_module — XSLT transformations. Last decade called, they want their module back.
- ngx_http_perl_module — Perl scripting in NGINX. No.
- Plus 7 more rarely-used modules most WordPress and PHP deployments never touch.
What stays? Everything you actually use: HTTP, SSL/TLS, rewrite, proxy, upstream, gzip, FastCGI, WebSocket, auth, access control, stub status — and all 50+ dynamic modules remain available as opt-in installs. Remove at compile time, load at runtime. Best of both worlds.
What nginx-minimal Keeps
- HTTP/3 + QUIC support (full, not experimental)
- TLS 1.3 via openssl-nginx (kTLS kernel offload, hardware entropy, ML-KEM post-quantum)
- Compiled with
-O3 -flto— same performance as full NGINX - jemalloc for better memory allocation under concurrent load
- zlib-ng for faster gzip (SIMD-accelerated on modern CPUs)
- 50+ dynamic modules available: brotli, zstd, ModSecurity, Lua, NJS, headers-more, GeoIP2, and more
- Full compatibility with standard NGINX config syntax
Who Should Use nginx-minimal?
- WordPress hosting — you need FastCGI, proxy, SSL, gzip. You don’t need mail or XSLT.
- PHP-FPM reverse proxies — same story. Slim and fast.
- Docker images — smaller image size, faster pulls, smaller attack surface.
- Kubernetes deployments — faster pod startup, lower resource requests.
- Security-conscious setups — code that isn’t compiled in can’t have vulnerabilities.
- VPS with limited RAM — less code loaded means lower baseline memory footprint.
If you need TCP/UDP load balancing or mail proxying, use the full NGINX package. nginx-minimal is a deliberate choice for common web workloads, not a universal replacement.
Installation
# Add the myguard repository
wget -qO- https://deb.myguard.nl/gpg.key
| gpg --dearmor > /usr/share/keyrings/myguard-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/myguard-archive-keyring.gpg]
https://deb.myguard.nl stable main"
| tee /etc/apt/sources.list.d/myguard.list
apt update
apt install nginx-minimalNew to the myguard repository? Follow the setup guide to add it in under a minute.
Then add only the dynamic modules your setup actually needs:
# Install only what you use
apt install libnginx-mod-http-brotli # Brotli compression
apt install libnginx-mod-http-modsecurity # ModSecurity WAF
apt install libnginx-mod-http-lua # Lua scripting
apt install libnginx-mod-http-headers-more # Custom headers
apt install libnginx-mod-http-geoip2 # GeoIP-based routingTypical WordPress + PHP-FPM Config
server {
listen 443 ssl;
http2 on;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.pem;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/example.com;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}No stream module, no mail, no image filter — none of that is in the binary, so there’s nothing to misconfigure. For PHP security hardening, add PHP-Snuffleupagus. For a full security hardening checklist, see the NGINX performance and security guide.
nginx-minimal vs Full NGINX vs Angie
| Feature | nginx-minimal | nginx (full) | Angie |
|---|---|---|---|
| HTTP/3 + QUIC | ✓ | ✓ | ✓ |
| TLS 1.3 | ✓ | ✓ | ✓ |
| 50+ dynamic modules | ✓ (opt-in) | ✓ (opt-in) | ✓ (opt-in) |
| Mail proxying | ✗ | ✓ | ✓ |
| Stream (TCP/UDP) | ✗ | ✓ | ✓ |
| Native ACME (Let’s Encrypt) | ✗ | ✗ | ✓ |
| JSON status API | ✗ | ✗ | ✓ |
| Binary size | Smaller | Standard | Standard |
If you need native ACME (Let’s Encrypt without Certbot) or a JSON monitoring API, consider Angie. If you just need a lean, fast NGINX for serving PHP apps, nginx-minimal is the right tool.
Frequently Asked Questions
- Does nginx-minimal support HTTP/3?
- Yes — fully. HTTP/3 and QUIC are in the core build. The removed modules are legacy features (mail, XSLT, image filter) completely unrelated to modern HTTP stack support.
- Can I add modules back to nginx-minimal later?
- Yes, that’s the whole point. All 50+ dynamic modules are available as separate libnginx-mod-* packages. Install exactly what you need: apt install libnginx-mod-http-brotli, add a load_module line, reload. You get full flexibility.
- Is nginx-minimal compatible with my existing NGINX config?
- If your config doesn’t use the removed static modules (mail, stream, image filter, XSLT, Perl), then yes — it’s a drop-in replacement. Test with nginx -t after switching.
- How much smaller is the nginx-minimal binary?
- Roughly 10–15% smaller than full NGINX. The bigger win is attack surface: code that isn’t compiled in can’t have vulnerabilities, can’t be misconfigured, and doesn’t use memory.
- Can I use nginx-minimal in Docker?
- Yes — this is one of the best use cases. Start with nginx-minimal as your base, add only the modules your app needs. You get a smaller final image and a more predictable, auditable configuration.
- What is the difference between nginx-minimal and nginx-light?
- nginx-light was a Debian package variant that is now deprecated. nginx-minimal is our maintained alternative with modern optimizations (HTTP/3, kTLS, jemalloc, -O3), and the full dynamic module ecosystem. nginx-light is gone; nginx-minimal is the modern replacement.
Related Posts
- nginx-core, nginx-full, nginx-light Deprecated — Migration Guide — what happened to the old Debian NGINX packages and what to use instead
- Angie vs NGINX: Complete 2026 Comparison — if you need native ACME or JSON API, Angie might be your pick
- How to Optimize NGINX and Angie for Maximum Performance — full performance and security tuning guide
- Hardening PHP-FPM with PHP-Snuffleupagus — interpreter-level PHP security for your stack