NGINX Modules optimized & extended

The objective is to establish a comprehensive proxy/web server featuring NGINX modules, tailored for streamlined docker/wordpress/magento/opencart setups, prioritizing security, efficiency, and user-friendliness (simple maintenance). Typically, automatic rebuilds are initiated within a few hours following a new nginx update, and if there are no patch conflicts, they are automatically deployed as packages and dockers.

The software is provided as-is without commercial support. However, I am willing to address bugs in the build and offer assistance when possible. I don’t use most nginx modules myself; many are included based on requests from readers like you.

We make an effort to align with Debian upstream regurlary, updating our package in response to their changes. Additionally, we backport and rebuild these updated packages to older distributions.

Besides the standard Debian package defaults, there’s a streamlined version called nginx-minimal. This lean package focuses on proxying, caching, and FastCGI, with most other static modules turned off. It’s efficient enough to run platforms like WordPress and supports loading dynamic modules.

Ok, TL;DR: How to install?

With Debian deprecated the meta-packages “nginx-light, nginx-core, nginx-extras, nginx-full”, the appropriate method to install nginx and its modules now is:

apt-get install nginx
apt-get install libnginx-mod-http-fancyindex

For a full list of modules, see below.

There is a changelog in the support forum
A build log can be found here
Dockers can be found here. One good tag is eilandert/nginx-modsecurity3-pagespeed:deb-php8.3

Features:

  • Latest Mainline in a debian/ubuntu package.
  • Removed debian/ubuntu branding in server signature.
  • Optimized nginx.conf
  • Added additional bots/security/hardening/proxy examples in snippets/
  • Linked all builds against latest OpenSSL+quic so there is full TLS1.3 and HTTP3/QUIC support
  • Added Optimizing TLS over TCP to reduce latency (Cloudflare patch)
  • Added recommended SSL directives, should give A+ on SSLLABS
  • kTLS is available, use “modprobe tls” and add “ssl_conf_command Options KTLS;” to the http{ } block
  • Build with AIO and threading support (better performance for eg ZFS)
  • Linked against zlib-ng for faster/better data compression (native mode)
  • Compiled with -O3 and -flto to squeeze some extra % performance.
  • Compiled with TFO (TCP Fast Open), use sysctl -w net.ipv4.tcp_fastopen=3 to enable)
  • Pagespeed: Seperately build PSOL (Page Speed Optimalisation Library) per distro
  • Docker image is on the docker hub (daily rebuilds)
  • The modsecurity core ruleset (crs, from git) is repackaged on each nginx version update.
  • Couple of lua modules, also repackaged on each nginx version update
  • Patched NGINX and OpenSSL in order to support yielding operations in ssl_session_fetch_by_lua* and ssl_certificate_by_lua*

Extra NGINX modules build from git (dynamic)

Including dynamic nginx modules in the original code base:

  • libnginx-mod-http-geoip – GeoIP Stream module
  • libnginx-mod-http-image-filter – HTTP image filter module
  • libnginx-mod-http-perl – Perl module for Nginx
  • libnginx-mod-http-xslt-filter – XSLT Transformation module
  • libnginx-mod-mail – Mail module
  • libnginx-mod-stream – Stream module
  • libnginx-mod-stream-geoip – GeoIP Stream module

Standalone Libraries provided:

  • libmodsecurity3 – v3 library component for use with the NGINX connector
  • modsecurity-crs – OWASP ModSecurity Core Rule Set
  • libjemalloc2 – You need the one on my repo, it’s build for NGINX
  • libz-ng2 – zlib data compression library for the next generation systems (native mode)
  • lua-resty – A bundle of most used lua modules for libnginx-mod-http-lua
  • lua-resty-core – New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module (openresty)
  • lua-resty-lrucache -Lua-land LRU cache based on the LuaJIT FFI. (openresty)

Custom scripts:

  • reorder-modules.sh – priotize certain nginx modules in the right order, including docker support
  • cloudflare.sh – Get the Cloudflare IP’s for include in vhost with CF-Connecting-IP

Patches:

  • 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch (debian)
  • 0003-define_gnu_source-on-other-glibc-based-platforms.patch (debian)
  • nginx-fix-pidfile.patch (debian)
  • nginx__1.19.4_dynamic_tls_records.patch (cloudflare)
  • nginx_hpack_push_1.25.0.patch (cloudflare)
  • nginx-1.21.4-ssl_cert_cb_yield.patch (openresty)
  • zlib-ng.patch (zlibng)