NGINX Modules optimized & extended

The objective is to establish a comprehensive proxy/web server featuring NGINX modules, tailored for streamlined docker/wordpress/magento/opencart setups, prioritizing security, efficiency, and user-friendliness (simple maintenance). Typically, automatic rebuilds are initiated within a few hours following a new nginx update, and if there are no patch conflicts, they are automatically deployed as packages and dockers.

The software is provided as-is without commercial support. However, I am willing to address bugs in the build and offer assistance when possible. I don’t use most nginx modules myself; many are included based on requests from readers like you.

We make an effort to align with Debian upstream regurlary, updating our package in response to their changes. Additionally, we backport and rebuild these updated packages to older distributions.

Besides the standard Debian package defaults, there’s a streamlined version called nginx-minimal. This lean package focuses on proxying, caching, and FastCGI, with most other static modules turned off. It’s efficient enough to run platforms like WordPress and supports loading dynamic modules.

—

Ok, TL;DR: How to install?

With Debian deprecated the meta-packages “nginx-light, nginx-core, nginx-extras, nginx-full”, the appropriate method to install nginx and its modules now is:

apt-get install nginx
apt-get install libnginx-mod-http-fancyindex

For a full list of modules, see below.

There is a changelog in the support forum
A build log can be found here
Dockers can be found here. One good tag is eilandert/nginx-modsecurity3-pagespeed:deb-php8.3

Features:

• Latest Mainline in a debian/ubuntu package.
• Removed debian/ubuntu branding in server signature.
• Optimized nginx.conf
• Added additional bots/security/hardening/proxy examples in snippets/
• Linked all builds against latest OpenSSL+quic so there is full TLS1.3 and HTTP3/QUIC support
• Added Optimizing TLS over TCP to reduce latency (Cloudflare patch)
• Added recommended SSL directives, should give A+ on SSLLABS
• kTLS is available, use “modprobe tls” and add “ssl_conf_command Options KTLS;” to the http{ } block
• Build with AIO and threading support (better performance for eg ZFS)
• Linked against zlib-ng for faster/better data compression (native mode)
• Compiled with -O3 and -flto to squeeze some extra % performance.
• Compiled with TFO (TCP Fast Open), use sysctl -w net.ipv4.tcp_fastopen=3 to enable)
• Pagespeed: Seperately build PSOL (Page Speed Optimalisation Library) per distro
• Docker image is on the docker hub (daily rebuilds)
• The modsecurity core ruleset (crs, from git) is repackaged on each nginx version update.
• Couple of lua modules, also repackaged on each nginx version update
• Patched NGINX and OpenSSL in order to support yielding operations in ssl_session_fetch_by_lua* and ssl_certificate_by_lua*

Extra NGINX modules build from git (dynamic)

• libnginx-mod-http-access-plus – allows limiting access to certain http request methods and client addresses.
• libnginx-mod-http-auth-ldap – LDAP authentication module for nginx
• libnginx-mod-http-auth-spnego – This module implements SPNEGO support
• libnginx-mod-http-auth-pam – PAM authentication module
• libnginx-mod-http-brotli – nginx module for Brotli compression
• libnginx-mod-http-cache-purge – Purge content from nginx caches
• libnginx-mod-http-captcha – nginx module for generate captcha and validate captcha code
• libnginx-mod-http-concat – A module for concatenating files in a given context: CSS and JS files usually
• libnginx-mod-http-dav-ext – WebDAV missing commands support
• libnginx-mod-http-doh – Simple nginx module for serving dns-over-https (DOH) requests.
• libnginx-mod-http-dynamic-etag – NGINX module for adding ETag to dynamic content
• libnginx-mod-http-early-hints – This is an experimental nginx module that sending 103 early hints.
• libnginx-mod-http-echo – Bring echo and more shell style goodies to Nginx
• libnginx-mod-http-encrypted-session – encrypt and decrypt nginx variable values
• libnginx-mod-http-eval – A module for evaluating memcached or proxy response into variable
• libnginx-mod-http-fancyindex – Fancy indexes module
• libnginx-mod-http-flv-live – same as RTMP but with HTTP-FLV, GOP cache, VHost and JSON stats 
• libnginx-mod-http-geoip2 – GeoIP2 http module
• libnginx-mod-http-hmac-secure-link – HMAC Secure Link module
• libnginx-mod-http-headers-more-filter Set and clear input and output headers
• libnginx-mod-http-immutable – setting immutable caching on static assets
• libnginx-mod-http-ipset-blacklist – for using netfilter ipsets as a black/white list
• libnginx-mod-http-js-challenge – Simple javascript proof-of-work based access (Similar to Cloudflare’s anti-DDoS feature)
• libnginx-mod-http-length-hiding-filter – append random generated string to the end of HTML response
• libnginx-mod-http-lua – Embed the power of Lua into nginx servers (openresty)
• libnginx-mod-http-lua-ssl – extends the lua module w enhanced SSL/TLS capabilities
• libnginx-mod-http-modsecurity – connector for libmodsecurity3
• libnginx-mod-http-naxsi – naxsi is an open-source web application firewall
• libnginx-mod-http-ndk -Development Kit module
• libnginx-mod-http-njs – subset of the JavaScript language that allows extending nginx functionality
• libnginx-mod-http-redis2 – upstream module for the Redis 2.0 protocol
• libnginx-mod-http-security-headers – module for sending security headers
• libnginx-mod-http-set-misc – Various set_xxx directives added to nginx’s rewrite module (md5/sha1, sql/json quoting, and many more)
• libnginx-mod-http-srcache-filter – Transparent subrequest-based caching layout for arbitrary nginx locations
• libnginx-mod-http-ssl-ct – Certificate Transparency module
• libnginx-mod-http-subs-filter – Substitution filter module
• libnginx-mod-http-sysguard – Protect nginx against high sysload, memory or slow requests.
• libnginx-mod-http-testcookie-access – simple robot mitigation module using cookie based challenge/response technique.
• libnginx-mod-http-trim-filter – Modifies html by removing unnecessary whitespaces and comments
• libnginx-mod-http-uploadprogress – Upload progress system for Nginx
• libnginx-mod-http-upstream-fair Nginx Upstream Fair Proxy Load Balancer
• libnginx-mod-http-user-agent – A module to match browsers and crawlers
• libnginx-mod-http-vhost-traffic-status – Provides access to virtual host status information
• libnginx-mod-http-waf – Handy, High performance Nginx firewall module. (ngx_waf)
• libnginx-mod-http-xss – Native support for cross-site scripting (XSS)
• libnginx-mod-http-zstd – adds Zstandard (zstd) compression.
• libnginx-mod-ipscrub – IP address anonymizer module for nginx
• libnginx-mod-mail-ssl-ct – Certificate Transparency module
• libnginx-mod-nchan – Fast, flexible pub/sub server
• libnginx-mod-pagespeed – ngx_pagespeed optimizes your site on the fly, with caching
• libnginx-mod-rtmp – RTMP support (alternative: libnginx-mod-http-flv-live)
• libnginx-mod-ssl-ct – Certificate Transparency module
• libnginx-mod-stream-geoip2 – GeoIP2 Stream module
• libnginx-mod-stream-lua Embed the power of Lua into nginx servers (openresty)
• libnginx-mod-stream-njs – subset of the JS language that allows extending nginx functionality
• libnginx-mod-stream-ssl-ct – Certificate Transparency module for nginx.

Including dynamic nginx modules in the original code base:

• libnginx-mod-http-geoip – GeoIP Stream module
• libnginx-mod-http-image-filter – HTTP image filter module
• libnginx-mod-http-perl – Perl module for Nginx
• libnginx-mod-http-xslt-filter – XSLT Transformation module
• libnginx-mod-mail – Mail module
• libnginx-mod-stream – Stream module
• libnginx-mod-stream-geoip – GeoIP Stream module

Standalone Libraries provided:

• libmodsecurity3 – v3 library component for use with the NGINX connector
• modsecurity-crs – OWASP ModSecurity Core Rule Set
• libjemalloc2 – You need the one on my repo, it’s build for NGINX
• libz-ng2 – zlib data compression library for the next generation systems (native mode)
• lua-resty – A bundle of most used lua modules for libnginx-mod-http-lua
• lua-resty-core – New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module (openresty)
• lua-resty-lrucache -Lua-land LRU cache based on the LuaJIT FFI. (openresty)

Custom scripts:

• reorder-modules.sh – priotize certain nginx modules in the right order, including docker support
• cloudflare.sh – Get the Cloudflare IP’s for include in vhost with CF-Connecting-IP

Patches:

• 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch (debian)
• 0003-define_gnu_source-on-other-glibc-based-platforms.patch (debian)
• nginx-fix-pidfile.patch (debian)
• nginx__1.19.4_dynamic_tls_records.patch (cloudflare)
• nginx_hpack_push_1.25.0.patch (cloudflare)
• nginx-1.21.4-ssl_cert_cb_yield.patch (openresty)
• zlib-ng.patch (zlibng)