The Docker image is ready to use:
docker run -d --name nginx -p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp ghcr.io/ammnt/nginx:latest
or
docker run -d --name nginx -p 80:8080/tcp -p 443:8443/tcp -p 443:8443/udp ammnt/nginx:latest
or with Docker Compose deployment:
services:
nginx:
image: ammnt/nginx:latest
user: "101:101"
read_only: true
privileged: false
tmpfs:
- /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=101,gid=101
cap_drop:
- all
container_name: nginx
security_opt:
- no-new-privileges:true
- apparmor:docker-nginx
volumes:
- "./conf:/etc/nginx:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
...
The server-side QIUC support expected in OpenSSL 3.4 has been delayed until the next release: openssl/openssl#25767 (reply in thread)
It is being actively worked on. It is now planned to be released as part of OpenSSL-3.5 which will be out in April 2025.
- Based on latest version of Alpine Linux - low size (~5 MB);
- OpenSSL with HTTP/3 and QUIC support:
https://github.com/openssl/openssl - HTTP/2 with ALPN support;
- TLS 1.3 and 0-RTT support;
- TLS 1.2 and TCP Fast Open (TFO) support;
- Built using hardening GCC flags;
- NJS and Brotli support;
- PCRE with JIT compilation;
- zlib-ng library latest version;
- Rootless master process - unprivileged container;
- Async I/O threads module;
- "Distroless" image - shell removed from the image;
- Removed unnecessary modules;
- Added OCI labels and annotations;
- No excess ENTRYPOINT in the image;
- Slimmed version by Docker Slim tool;
- Scanned efficiency result with Dive tool;
- Scanned by vulnerability scanners: GitHub, Docker Scout, Snyk, Grype, Clair and Syft;
- Prioritize ChaCha cipher patch and anonymous signature - removed "Server" header ("banner"):
https://github.com/ammnt/nginx/blob/main/Dockerfile
Feel free to contact me with more security improvements🙋
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}