nginx modules optimized (mainline)

The goal is to have a full fledged proxy/webserver with nginx modules for my minimal configured lxc/docker/wordpress/magento/opencart instances while keeping security, performance and usability (easy to maintain) in mind. Usually automatic rebuilds occur within hours after a new NGINX release, if there is no patch conflict they will be automaticly uploaded.

There is no (commercial) support, software is as it comes. But I am happy to fix bugs in my build or help out if I have the time. I don’t personally use all nginx modules, since most are requested by readers like you. If you need a nginx module, please let me know, I am happy to extend this stack. Any other tips are welcome too.

In Debian/Ubuntu there are 3 flavours to choose from, nginx-light, nginx-core or nginx-extras. A reasonable default is nginx-core. After installing one of the three you can install individual nginx modules with apt-get:

apt-get install nginx-light
apt-get install libnginx-mod-http-fancyindex

There is also nginx-full, which is nginx-extras but with all the modules available installed.

For those who don’t want all extra bells in this repo, there is an ubuntu launchpad
Docker images (including php) can be found on dockerhub

The changelog is in the support forum.
Here is some reading material regarding NGINX
Please see this page on how to set up apt-get.

Please remove unused nginx modules from /etc/nginx/modules-enabled, it can speed things up

Features:

  • Latest Mainline
  • Removed debian/ubuntu branding in server signature
  • Optimized nginx.conf
  • Linked all builds against latest OpenSSL so there is ALPN and TLS1.3 support
  • Added recommended SSL directives, should give A+ on SSLLABS
  • Now with OpenSSL3,add http://deb.myguard.nl/openssl3 to your apt sources or install myguard.deb
  • kTLS is available, use “modprobe tls” and add “ssl_conf_command Options KTLS;” to the http{ } block
  • Build with AIO + threading support (better performance for eg ZFS)
  • Compiled with -O3 -flto to squeeze some extra % performance.
  • Compiled with TFO (TCP Fast Open), use sysctl -w net.ipv4.tcp_fastopen=3 to enable
  • Added HTTP2 HPACK Encoding Support. (Cloudflare patch)
  • Added Optimizing TLS over TCP to reduce latency (Cloudflare patch)
    (please add ssl_dyn_rec_enable on; to the http{} block)
  • Linked against zlib-ng for faster/better data compression (native mode)
  • Added additional bots/security/hardening/proxy examples in snippets/
    (Some of the snippets are inspired on https://calomel.org/nginx.html)
  • Pagespeed: Seperately build PSOL (Page Speed Optimalisation Library) per distro
  • Docker image is on the docker hub (daily rebuilds)
  • The modsecurity core ruleset (crs, from git) is repackaged on each nginx version update.
  • Couple of lua modules, also repackaged on each nginx version update

Custom scripts:

  • reorder-modules.sh – priotize certain nginx modules in the right order
  • cloudflare.sh – Get the Cloudflare IP’s for include in vhost with CF-Connecting-IP

Standalone Libraries provided:

  • libmodsecurity3 – v3 library component for use with the NGINX connector
  • modsecurity-crs – OWASP ModSecurity Core Rule Set
  • libjemalloc2 – You need the one on my repo, it’s build for NGINX
  • libz-ng2 – zlib data compression library for the next generation systems (native mode)
  • lua-resty – A bundle of most used lua modules for libnginx-mod-http-lua
  • lua-resty-core – New FFI-based Lua API for ngx_http_lua_module and/or ngx_stream_lua_module (openresty)
  • lua-resty-lrucache -Lua-land LRU cache based on the LuaJIT FFI. (openresty)

Extra NGINX modules build from git

Including nginx modules in the original code base:

  • libnginx-mod-http-geoip – GeoIP Stream module (you need to install nginx-extras)
  • libnginx-mod-http-image-filter – HTTP image filter module
  • libnginx-mod-http-perl – Perl module for Nginx
  • libnginx-mod-http-xslt-filter – XSLT Transformation module
  • libnginx-mod-mail – Mail module (you need to install nginx-extras)
  • libnginx-mod-stream – Stream module
  • libnginx-mod-stream-geoip – GeoIP Stream module

Patches:

  • 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch (debian)
  • 0003-define_gnu_source-on-other-glibc-based-platforms.patch (debian)
  • CVE-2019-20372.patch (debian)
  • nginx-fix-pidfile.patch (debian)
  • nginx__1.19.4_dynamic_tls_records.patch (cloudflare)
  • nginx_hpack_push_1.19.0.patch (cloudflare)
  • nginx-1.21.4-resolver_conf_parsing.patch (openresty)
  • nginx-1.21.4-ssl_cert_cb_yield.patch (openresty)
  • zlib-ng.patch (zlibng)