- Based on latest NGINX mainline version
- HTTP/3 and QUIC support, powered by nginx-quic
- Brotli support, powered by ngx_brotli
- Headers More support, powered by ngx_headers_more
- GeoIP2 support, powered by ngx_http_geoip2_module
- OCSP stapling support, powered by this patch
- Use BoringSSL, Cloudflare's zlib and jemalloc
- Remove mountains of useless modules to improve performance
Download nginx.deb package from releases, then install it with the following command.
apt install ./nginx.debDue to usage of BoringSSL instead of OpenSSL, some directives may not work, e.g. ssl_conf_command. Besides, direct OCSP stapling via ssl_stapling on; ssl_stapling_verify on; does not work too. You should use ssl_stapling on; ssl_stapling_file /path/to/ocsp;.
- All modules that are not built by default, except
http_ssl_moduleandhttp_v2_module http_access_modulehttp_autoindex_modulehttp_browser_modulehttp_charset_modulehttp_empty_gif_modulehttp_limit_conn_modulehttp_memcached_modulehttp_mirror_modulehttp_referer_modulehttp_split_clients_modulehttp_scgi_modulehttp_ssi_modulehttp_upstream_hash_modulehttp_upstream_ip_hash_modulehttp_upstream_keepalive_modulehttp_upstream_least_conn_modulehttp_upstream_random_modulehttp_upstream_zone_modulehttp_userid_modulehttp_uwsgi_module
Fork this repo, enable GitHub Actions, edit Dockerfile and change bookworm to the one you like (e.g. bullseye). Then wait for GitHub Actions to run. After it finishes, you can download from releases.
Fork this repo, enable GitHub Actions, edit build.sh and find the modules you want. Then remove related parameters and wait for GitHub Actions to run. After it finishes, you can download from releases.
For example, if you want to add http_uwsgi_module, you need to change sed -i 's|--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp ||g' rules to sed -i 's|--http-scgi-temp-path=/var/cache/nginx/scgi_temp ||g' rules, and change sed -i 's|--with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module|--with-http_v3_module --without-select_module --without-poll_module --without-http_access_module --without-http_autoindex_module --without-http_browser_module --without-http_charset_module --without-http_empty_gif_module --without-http_limit_conn_module --without-http_memcached_module --without-http_mirror_module --without-http_referer_module --without-http_split_clients_module --without-http_scgi_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module|g' rules to sed -i 's|--with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module|--with-http_v3_module --without-select_module --without-poll_module --without-http_access_module --without-http_autoindex_module --without-http_browser_module --without-http_charset_module --without-http_empty_gif_module --without-http_limit_conn_module --without-http_memcached_module --without-http_mirror_module --without-http_referer_module --without-http_split_clients_module --without-http_scgi_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_zone_module --without-http_userid_module|g' rules.
http {
aio threads;
aio_write on;
brotli on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
directio 1m;
etag off;
gzip on;
gzip_comp_level 6;
gzip_http_version 1.0;
gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
gzip_vary on;
if_modified_since before;
msie_padding off;
quic_gso on;
quic_retry on;
reset_timedout_connection on;
resolver 127.0.0.1; # change to your DNS resolver
sendfile on;
server_tokens off;
ssl_certificate /path/to/cert_plus_intermediate;
ssl_certificate_key /path/to/key;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305; # change ECDSA to RSA if you use RSA certificate
ssl_early_data on;
ssl_ecdh_curve X25519:P-256:P-384;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_file /path/to/ocsp; # generate by `openssl ocsp -no_nonce -issuer /path/to/intermediate -cert /path/to/cert -url "$(openssl x509 -in /path/to/cert -noout -ocsp_uri)" -respout /path/to/ocsp`
tcp_nopush on;
server {
listen 80 reuseport;
listen [::]:80 reuseport; # delete these lines if ipv6 is unavailable
return 444;
}
server {
listen 443 reuseport ssl http2;
listen [::]:443 reuseport ssl http2;
listen 443 reuseport http3;
listen [::]:443 reuseport http3;
ssl_reject_handshake on;
}
server {
listen 80;
listen [::]:80;
server_name example.com dynamic.example.com php.example.com www.example.com;
return 308 https://$host$request_uri;
}
server { # example for static site
listen 443;
listen [::]:443;
listen 443 http3;
listen [::]:443 http3;
server_name example.com;
root /path/to/static/site;
add_header Alt-Svc 'h3=":443"; ma=3600'; # tweak `ma` time as your own need
}
server { # example for dynamic site
listen 443;
listen [::]:443;
listen 443 http3;
listen [::]:443 http3;
server_name dynamic.example.com;
add_header Alt-Svc 'h3=":443"; ma=3600';
location / {
proxy_pass http://ip:port;
}
}
server { # example for dynamic site with php
listen 443;
listen [::]:443;
listen 443 http3;
listen [::]:443 http3;
server_name php.example.com;
root /path/to/php/site;
index index.php;
add_header Alt-Svc 'h3=":443"; ma=3600';
location ~ ^.+\.php$ {
include fastcgi_params;
fastcgi_param HTTP_PROXY '';
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/path/to/php/sock;
}
}
server {
listen 443;
listen [::]:443;
listen 443 http3;
listen [::]:443 http3;
server_name www.example.com;
add_header Alt-Svc 'h3=":443"; ma=3600';
return 308 https://example.com$request_uri;
}
}