My NGINX/Docker recipe

This recipe comes with:

  1. Ubuntu 16.04 LTS
  2. nginx 1.13.6 with all modules compiled statically, except for these which are dynamic:
    1. GeoIP
    2. Image Filter
    3. XSLT
  3. nginScript 0.1.13 (ngx_http_js, ngx_stream_js)
  4. OpenSSL 1.1.1-dev: tls1.3-draft-18 branch. Adds support for TLSv1.3 draft 18 (the SPDY/3.1 of TLS).
  5. Google patch: Brotli compression (fast but denser compression than GZip).
  6. CloudFlare patch: Dynamic TLS records (reducing TLS latency).
  7. CloudFlare patch: Re-introduction of SPDY/3.1 (a lot of mobile clients do support this but not HTTP/2).
  8. CloudFlare patch: HTTP/2 HPACK. Header compression algorithm for HTTP/2, resilient to attacks similar to CRIME.
  9. NOT with Lua! Unfortunately the folks over at OpenResty didn't get around to make things work with nginx 1.13 yet.

The actual Dockerfile

FROM    ubuntu:16.04

ENV     NGINX_VERSION   1.13.6
ENV     NJS_VERSION     0.1.14

RUN     GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
        && apt-get update \
        && apt-get upgrade -y \
        && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
                build-essential \
                ca-certificates \
                cron \
                curl \
                geoip-bin \
                git \
                libgd-dev \
                libgeoip-dev \
                libpcre3-dev \
                libperl-dev \
                libxslt1-dev \
                mercurial \
                supervisor \
                unattended-upgrades \
                unzip \
                zlib1g-dev \
        && git clone https://github.com/openssl/openssl.git -b tls1.3-draft-18 --single-branch /usr/src/openssl-tls1.3-draft-18 \
        && curl -fsSlL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o /nginx.tar.gz \
        && curl -fsSlL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o /nginx.tar.gz.asc \
        && export GNUPGHOME="$(mktemp -d)" \
        && found=''; \
        for server in \
                ha.pool.sks-keyservers.net \
                hkp://keyserver.ubuntu.com:80 \
                hkp://p80.pool.sks-keyservers.net:80 \
                pgp.mit.edu \
        ; do \
                echo "Fetching GPG key $GPG_KEYS from $server"; \
                gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
        done; \
        test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
        gpg --batch --verify /nginx.tar.gz.asc /nginx.tar.gz \
        && rm -r "$GNUPGHOME" /nginx.tar.gz.asc \
        && tar -zxC /usr/src -f /nginx.tar.gz \
        && rm /nginx.tar.gz \
        && cd /usr/src/nginx-$NGINX_VERSION \
        && curl -fsSlL https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__1.13.0_http2_spdy.patch | patch -p1 \
        && curl -fsSlL https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__1.11.5_dynamic_tls_records.patch | patch -p1 \
        && hg clone http://hg.nginx.org/njs -r ${NJS_VERSION} /usr/src/nginx-njs \
        && git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \
        && git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
        && ./configure \
                --prefix=/etc/nginx \
                --sbin-path=/usr/sbin/nginx \
                --conf-path=/etc/nginx/nginx.conf \
                --error-log-path=/var/log/nginx/error.log \
                --http-log-path=/var/log/nginx/access.log \
                --pid-path=/var/run/nginx.pid \
                --lock-path=/var/run/nginx.lock \
                --http-client-body-temp-path=/var/cache/nginx/client_temp \
                --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
                --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
                --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
                --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
                --user=www-data \
                --group=www-data \
                --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
                --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
                --with-openssl=/usr/src/openssl-tls1.3-draft-18 \
                --with-openssl-opt='no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-tls1 enable-tls1_1 enable-tls1_2 enable-tls1_3 enable-ec_nistp_64_gcc_128' \
                --with-http_ssl_module \
                --with-http_realip_module \
                --with-http_addition_module \
                --with-http_sub_module \
                --with-http_dav_module \
                --with-http_flv_module \
                --with-http_mp4_module \
                --with-http_gunzip_module \
                --with-http_gzip_static_module \
                --with-http_random_index_module \
                --with-http_secure_link_module \
                --with-http_stub_status_module \
                --with-http_auth_request_module \
                --with-http_xslt_module=dynamic \
                --with-http_image_filter_module=dynamic \
                --with-http_geoip_module=dynamic \
                --with-http_perl_module=dynamic \
                --with-threads \
                --with-stream \
                --with-stream_ssl_module \
                --with-stream_ssl_preread_module \
                --with-stream_realip_module \
                --with-stream_geoip_module=dynamic \
                --with-http_slice_module \
                --with-mail \
                --with-mail_ssl_module \
                --with-compat \
                --with-file-aio \
                --with-http_v2_module \
                --with-http_spdy_module \
                --add-dynamic-module=/usr/src/nginx-njs/nginx \
                --add-dynamic-module=/usr/src/ngx_brotli \
                --add-dynamic-module=/usr/src/ngx_headers_more \
        && make -j$(getconf _NPROCESSORS_ONLN) \
        && make install \
        && mkdir /var/cache/nginx \
        && rm -rf /etc/nginx/html/ \
        && mkdir /etc/nginx/conf.d/ \
        && mkdir -p /usr/share/nginx/html/ \
        && install -m644 html/index.html /usr/share/nginx/html/ \
        && install -m644 html/50x.html /usr/share/nginx/html/ \
        && strip /usr/sbin/nginx* \
        && strip /etc/nginx/modules/*.so \
        && apt-get autoremove -y --purge \
                build-essential \
                curl \
                git \
                mercurial \
                libpcre3-dev \
                libgd-dev \
                libgeoip-dev \
                zlib1g-dev \
                libxslt1-dev \
                unzip \
        && apt-get clean \
        && apt-get autoclean \
        && echo -n > /var/lib/apt/extended_states \
        && rm -rf \
                /usr/src/nginx-$NGINX_VERSION \
                /usr/src/openssl-tls1.3-draft-18 \
                /usr/src/nginx-njs \
                /usr/src/ngx_* \
                /usr/share/man/?? \
                /usr/share/man/??_* \
                /var/lib/apt/lists/* \
        && ln -sf /dev/stdout /var/log/nginx/access.log \
        && ln -sf /dev/stderr /var/log/nginx/error.log

COPY    files/nginx.conf                /etc/nginx/nginx.conf
COPY    files/nginx.vh.no-default.conf  /etc/nginx/conf.d/no-default.conf

EXPOSE  80 443

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]