// Page

NGINX Modules optimized & extended

NGINX Modules optimized & extended

Current version: 1.31.0 (last built: 2026-05-13)

The objective is to establish a comprehensive proxy/web server featuring NGINX modules, tailored for streamlined docker/wordpress/magento/opencart setups, prioritizing security, efficiency, and user-friendliness (simple maintenance). Typically, automatic rebuilds are initiated within a few hours following a new nginx update, and if there are no patch conflicts, they are automatically deployed as packages and dockers.

The software is provided as-is without commercial support. However, I am willing to address bugs in the build and offer assistance when possible. I don’t use most nginx modules myself; many are included based on requests from readers like you.

We make an effort to align with Debian upstream regularly, updating our package in response to their changes. Additionally, we backport and rebuild these updated packages to older distributions.

Besides the standard Debian package defaults, there’s a streamlined version called nginx-minimal. This lean package focuses on proxying, caching, and FastCGI, with most other static modules turned off. It’s efficient enough to run platforms like WordPress, Magento and OpenCart and supports loading dynamic modules.

Ok, TL;DR: How to install?

With Debian deprecated the meta-packages “nginx-light, nginx-core, nginx-extras, nginx-full”, the appropriate method to install nginx and its modules now is:

apt-get install nginx
apt-get install libnginx-mod-http-fancyindex

For a full list of modules, see below.

There is a changelog available.
A build log can be found here.
Dockers can be found here. One good tag is eilandert/nginx:deb-php8.3

Features:

  • Latest Mainline in a Debian/Ubuntu package.
  • Removed Debian/Ubuntu branding in server signature.
  • Optimized nginx.conf
  • Additional examples in snippets/
  • Linked against OpenSSL-NGINX — dedicated OpenSSL 3.5 built for webservers: kTLS offload, ec_nistp_64_gcc_128, RDRAND hardware entropy, no legacy ciphers or bloat
  • Added Optimizing TLS over TCP to reduce latency (Cloudflare patch)
  • Added recommended SSL directives, should give A+ on SSL Labs
  • kTLS is available, use modprobe tls and add ssl_conf_command Options KTLS; to the http block
  • Built with AIO and threading support (better performance for e.g. ZFS)
  • Linked against zlib-ng for faster/better data compression (native mode)
  • Compiled with -Ofast and -flto=auto for maximum performance
  • TCP Fast Open support, enable with: sysctl -w net.ipv4.tcp_fastopen=3
  • PageSpeed: separately built PSOL per distro
  • Docker image on Docker Hub (daily rebuilds)
  • The ModSecurity Core Rule Set (CRS, from git) is repackaged on each nginx version update
  • A bundle of lua modules, also repackaged on each nginx version update
  • Patched NGINX and OpenSSL-NGINX to support yielding operations in ssl_session_fetch_by_lua* and ssl_certificate_by_lua*

Extra NGINX modules built from git (dynamic)

Dynamic nginx modules included in the original code base:

  • libnginx-mod-http-geoip – GeoIP HTTP module (legacy MaxMind v1)
  • libnginx-mod-http-image-filter – HTTP image filter module
  • libnginx-mod-http-perl – Perl module for nginx
  • libnginx-mod-http-xslt-filter – XSLT Transformation module
  • libnginx-mod-mail – Mail module (SMTP, IMAP, POP3)
  • libnginx-mod-stream – Stream module (TCP/UDP load balancing)
  • libnginx-mod-stream-geoip – GeoIP stream module (legacy MaxMind v1)

Standalone libraries provided:

Custom scripts:

  • reorder-modules.sh – prioritize certain nginx modules in the correct load order, including Docker support
  • cloudflare.sh – fetch Cloudflare IP ranges for use with CF-Connecting-IP in your vhost

Patches (10 total):

  • 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch – Keeps the NGX_HTTP_HEADERS function signature identical across all builds so third-party dynamic modules remain ABI-compatible (Debian)
  • 0003-define_gnu_source-on-other-glibc-based-platforms.patch – Defines _GNU_SOURCE on non-Linux glibc platforms where it is not set automatically, preventing missing symbol errors at build time (Debian)
  • nginx-fix-pidfile.patch – Fixes a race condition where nginx could fail to write its PID file on systemd systems during fast restarts (Debian)
  • nginx_dynamic_tls_records.patch – Adaptively sizes TLS records: small records for low latency on new connections, large records for high throughput once the connection is warm (Cloudflare)
  • nginx_hpack.patch – Enables full HPACK response header compression for HTTP/2, reducing header overhead beyond what nginx ships by default (Cloudflare)
  • nginx-ssl_cert_cb_yield.patch – Allows Lua coroutines to yield inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks with OpenSSL-NGINX, enabling non-blocking async TLS operations (OpenResty/OpenSSL-NGINX)
  • 1.27.4-zlib-ng.patch – Integrates zlib-ng in native mode so nginx uses SIMD-accelerated gzip/deflate instead of the standard zlib
  • nginx-gzip-const-qualifier-fix.patch – Adds missing C99 const qualifiers to gzip filter code that zlib-ng’s stricter headers require; without this the build fails
  • nginx-proxy-connect-1.29.patch – Applies the ngx_http_proxy_connect_module patch to the nginx 1.29 source tree to enable HTTP CONNECT tunneling
  • myguard-branding.patch – Adds a myguard identifier in the logs on startup and strips version information from HTTP replies

Compile flags (2026 optimizations):

These flags are applied at build time. The Debian defaults (-O2, -O3, -g) are stripped and replaced:

  • -Ofast – Maximum compiler optimisation, more aggressive than -O3. Enables auto-vectorisation and unsafe math shortcuts for best runtime speed.
  • -flto=auto – Link-time optimisation. Allows the compiler to inline and optimise across object file boundaries at link time.
  • -pipe – Use pipes between compiler stages instead of temp files. Faster builds, less disk I/O.
  • -fomit-frame-pointer – Frees up a CPU register for the optimiser. Small but consistent runtime gain on hot paths.
  • -finline-functions – Allows the compiler to inline functions it judges beneficial, reducing call overhead.
  • -fno-strict-aliasing – Disables strict aliasing assumptions. Prevents the optimiser from breaking C pointer casts that nginx legitimately uses.
  • -DNGX_HTTP_HEADERS – Keeps the NGX_HTTP_HEADERS signature stable across all builds. Required for third-party module ABI compatibility.
  • -Wformat -Wformat-security – Warn on format string bugs at compile time. Catches potential security issues before they ship.
  • -D_FORTIFY_SOURCE=3 – Enables runtime buffer overflow detection in libc string functions. Level 3 is stricter than Debian’s default level 2.
  • hardening=+all – Full Debian hardening stack: stack canaries, PIE (position-independent executable), RELRO, and bind-now.

Related

Post-Quantum Cryptography (PQC) ready

NGINX and Angie from this repository are compiled against openssl-nginx 3.5, which ships ML-KEM (FIPS 203) as a stable algorithm. A single directive enables hybrid post-quantum key exchange for Chrome, Firefox, and Edge today:

ssl_ecdh_curve X25519MLKEM768:x25519:secp256r1:secp384r1;

See the Post-Quantum TLS configuration guide for the full setup, verification steps, browser support table, and FAQ.