nginx modules optimized (mainline)
The goal is to have a full fledged proxy/webserver with nginx modules for my minimal configured lxc/docker/wordpress/magento/opencart instances while keeping security, performance and usability (easy to maintain) in mind. Usually automatic rebuilds occur within hours after a new NGINX release, if there is no patch conflict they will be automaticly uploaded.
There is no (commercial) support, software is as it comes. But I am happy to fix bugs in my build or help out if I have the time. I don’t personally use all nginx modules, since most are requested by readers like you. If you need a nginx module, please let me know, I am happy to extend this stack. Any other tips are welcome too.
In Debian/Ubuntu there are 3 flavours to choose from, nginx-light, nginx-core or nginx-extras. A reasonable default is nginx-core. After installing one of the three you can install individual nginx modules with apt-get:
apt-get install nginx-light
apt-get install libnginx-mod-http-fancyindex
There is also nginx-full, which is nginx-extras but with all the modules available installed.
For those who don’t want all extra bells in this repo, there is an ubuntu launchpad
Docker images (including php) can be found on dockerhub
The changelog is in the support forum.
Here is some reading material regarding NGINX
Please see this page on how to set up apt-get.
Please remove unused nginx modules from /etc/nginx/modules-enabled, it can speed things up
Features:
- Latest Mainline
- Removed debian/ubuntu branding in server signature
- Optimized nginx.conf
- Linked all builds against latest OpenSSL so there is ALPN and TLS1.3 support
- Added recommended SSL directives, should give A+ on SSLLABS
- Now with OpenSSL3-quictls, add http://deb.myguard.nl/openssl3 to your apt sources or install myguard.deb
- kTLS is available, use “modprobe tls” and add “ssl_conf_command Options KTLS;” to the http{ } block
- Build with AIO + threading support (better performance for eg ZFS)
- Compiled with -O3 -flto to squeeze some extra % performance.
- Compiled with TFO (TCP Fast Open), use sysctl -w net.ipv4.tcp_fastopen=3 to enable
- Added HTTP2 HPACK Encoding Support. (Cloudflare patch)
- Added Optimizing TLS over TCP to reduce latency (Cloudflare patch)
(please add ssl_dyn_rec_enable on; to the http{} block) - Linked against zlib-ng for faster/better data compression (native mode)
- Added additional bots/security/hardening/proxy examples in snippets/
(Some of the snippets are inspired on https://calomel.org/nginx.html) - Pagespeed: Seperately build PSOL (Page Speed Optimalisation Library) per distro
- Docker image is on the docker hub (daily rebuilds)
- The modsecurity core ruleset (crs, from git) is repackaged on each nginx version update.
- Couple of lua modules, also repackaged on each nginx version update
Custom scripts:
- reorder-modules.sh – priotize certain nginx modules in the right order
- cloudflare.sh – Get the Cloudflare IP’s for include in vhost with CF-Connecting-IP
Standalone Libraries provided:
- libmodsecurity3 – v3 library component for use with the NGINX connector
- modsecurity-crs – OWASP ModSecurity Core Rule Set
- libjemalloc2 – You need the one on my repo, it’s build for NGINX
- libz-ng2 – zlib data compression library for the next generation systems (native mode)
- lua-resty – A bundle of most used lua modules for libnginx-mod-http-lua
- lua-resty-core – New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module (openresty)
- lua-resty-lrucache -Lua-land LRU cache based on the LuaJIT FFI. (openresty)
Extra NGINX modules build from git
- libnginx-mod-http-auth-spnego – This module implements SPNEGO support
- libnginx-mod-http-auth-pam – PAM authentication module
- libnginx-mod-http-bot-verifier – validate actors claiming to be search engine indexers (in testing)
- libnginx-mod-http-brotli – nginx module for Brotli compression
- libnginx-mod-http-cache-purge – Purge content from nginx caches
- libnginx-mod-http-dav-ext – WebDAV missing commands support
- libnginx-mod-http-doh – Simple nginx module for serving dns-over-https (DOH) requests.
- libnginx-mod-http-echo – Bring echo and more shell style goodies to Nginx
- libnginx-mod-http-encrypted-session – encrypt and decrypt nginx variable values
- libnginx-mod-http-fancyindex – Fancy indexes module
- libnginx-mod-http-geoip2 – GeoIP2 http module
- libnginx-mod-http-headers-more-filter Set and clear input and output headers
- libnginx-mod-http-ipset-blacklist – for using netfilter ipsets as a black/white list
- libnginx-mod-http-lua – Embed the power of Lua into nginx servers (openresty)
- libnginx-mod-http-lua-ssl – extends the lua module w enhanced SSL/TLS capabilities
- libnginx-mod-http-modsecurity – connector for libmodsecurity3
- libnginx-mod-http-naxsi – naxsi is an open-source web application firewall
- libnginx-mod-http-ndk -Development Kit module
- libnginx-mod-http-njs – subset of the JavaScript language that allows extending nginx functionality
- libnginx-mod-http-redis2 – upstream module for the Redis 2.0 protocol
- libnginx-mod-http-security-headers – module for sending security headers
- libnginx-mod-http-srcache-filter – Transparent subrequest-based caching layout for arbitrary nginx locations
- libnginx-mod-http-ssl-ct – Certificate Transparency module
- libnginx-mod-http-subs-filter – Substitution filter module
- libnginx-mod-http-sysguard – Protect nginx against high sysload, memory or slow requests.
- libnginx-mod-http-trim-filter – Modifies html by removing unnecessary whitespaces and comments
- libnginx-mod-http-uploadprogress – Upload progress system for Nginx
- libnginx-mod-http-upstream-fair Nginx Upstream Fair Proxy Load Balancer
- libnginx-mod-http-vhost-traffic-status – Provides access to virtual host status information
- libnginx-mod-http-waf – Handy, High performance Nginx firewall module. (ngx_waf)
- libnginx-mod-http-zstd – adds Zstandard (zstd) compression.
- libnginx-mod-mail-ssl-ct – Certificate Transparency module
- libnginx-mod-nchan – Fast, flexible pub/sub server
- libnginx-mod-pagespeed – ngx_pagespeed optimizes your site on the fly, with caching
- libnginx-mod-rtmp – RTMP support
- libnginx-mod-ssl-ct – Certificate Transparency module
- libnginx-mod-stream-geoip2 – GeoIP2 Stream module
- libnginx-mod-stream-lua Embed the power of Lua into nginx servers (openresty)
- libnginx-mod-stream-njs – subset of the JS language that allows extending nginx functionality
- libnginx-mod-stream-ssl-ct – Certificate Transparency module for nginx.
Including nginx modules in the original code base:
- libnginx-mod-http-geoip – GeoIP Stream module (you need to install nginx-extras)
- libnginx-mod-http-image-filter – HTTP image filter module
- libnginx-mod-http-perl – Perl module for Nginx
- libnginx-mod-http-xslt-filter – XSLT Transformation module
- libnginx-mod-mail – Mail module (you need to install nginx-extras)
- libnginx-mod-stream – Stream module
- libnginx-mod-stream-geoip – GeoIP Stream module
Patches:
- 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch (debian)
- 0003-define_gnu_source-on-other-glibc-based-platforms.patch (debian)
- CVE-2019-20372.patch (debian)
- nginx-fix-pidfile.patch (debian)
- nginx__1.19.4_dynamic_tls_records.patch (cloudflare)
- nginx_hpack_push_1.19.0.patch (cloudflare)
- nginx-1.21.4-resolver_conf_parsing.patch (openresty)
- nginx-1.21.4-ssl_cert_cb_yield.patch (openresty)
- zlib-ng.patch (zlibng)