{"id":34717939,"url":"https://github.com/ammnt/freenginx","last_synced_at":"2026-02-11T07:19:22.822Z","repository":{"id":231764695,"uuid":"779946479","full_name":"ammnt/freenginx","owner":"ammnt","description":"Distroless FreeNGINX with HTTP/3, QUIC and PQC support🚀","archived":false,"fork":false,"pushed_at":"2026-02-07T12:16:35.000Z","size":603,"stargazers_count":12,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-07T17:43:45.364Z","etag":null,"topics":["0-rtt","alpine","distroless","docker","fastopen","fork","freenginx","hardened","http2","http3","https","nginx","openssl","pqc","quic","rootless","tls","unprivileged","web"],"latest_commit_sha":null,"homepage":"https://msftcnsi.com/","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ammnt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-03-31T08:35:37.000Z","updated_at":"2026-02-07T12:16:39.000Z","dependencies_parsed_at":"2024-04-05T20:25:05.592Z","dependency_job_id":"b0b8405c-7280-47a3-9483-ae2bd2192018","html_url":"https://github.com/ammnt/freenginx","commit_stats":null,"previous_names":["ammnt/freenginx"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/ammnt/freenginx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Ffreenginx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Ffreenginx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Ffreenginx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Ffreenginx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ammnt","download_url":"https://codeload.github.com/ammnt/freenginx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Ffreenginx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29329492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T06:13:03.264Z","status":"ssl_error","status_checked_at":"2026-02-11T06:12:55.843Z","response_time":97,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0-rtt","alpine","distroless","docker","fastopen","fork","freenginx","hardened","http2","http3","https","nginx","openssl","pqc","quic","rootless","tls","unprivileged","web"],"created_at":"2025-12-25T01:16:57.916Z","updated_at":"2026-02-11T07:19:22.817Z","avatar_url":"https://github.com/ammnt.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 Distroless FreeNGINX: Hardened \u0026 Optimized image\n\n[![CI/CD](https://github.com/ammnt/freenginx/actions/workflows/build.yml/badge.svg)](https://github.com/ammnt/freenginx/actions/workflows/build.yml)\n![Version](https://img.shields.io/github/v/release/ammnt/freenginx)\n[![GitHub stars](https://img.shields.io/github/stars/ammnt/freenginx.svg)](https://github.com/ammnt/freenginx/stargazers)\n![Feature](https://img.shields.io/badge/feature-distroless-blue)\n[![GitHub issues open](https://img.shields.io/github/issues/ammnt/freenginx.svg)](https://github.com/ammnt/freenginx/issues)\n![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange)\n![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow)\n\n\u003e **Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.**\n\n\u003e [!IMPORTANT]\n\u003e QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️\n\n\u003e [!IMPORTANT]\n\u003e NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️\n\n\u003e [!TIP]\n\u003e You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3 and PQC💡\n\n\u003e [!IMPORTANT]\n\u003e UID/GID changed to 10001 - it's [recommended](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Kubernetes and prevents conflicts with system users⚠️\n\n## 🌐 Image Variants\n\nDocker Hub:\u003cbr\u003e\n\u003e **ammnt/freenginx:latest**\n\nGitHub Container Registry:\u003cbr\u003e\n\u003e **ghcr.io/ammnt/freenginx:latest**\n\n## 📦 Quick Start\n\n### Docker Run\n```bash\ndocker run -d \\\n  --name freenginx \\\n  -p 80:8080 \\\n  -p 443:8443 \\\n  ammnt/freenginx:latest\n```\n\n## 🔧 Advanced Configuration\n\n## 🎯 Recommended to use in Rootless mode:\u003cbr\u003e\nhttps://docs.docker.com/engine/security/rootless/\n\n### Docker Compose (Recommended)\n```yaml\nservices:\n  freenginx:\n    image: ammnt/freenginx:latest\n    user: \"10001:10001\"\n    read_only: true\n    privileged: false\n    tmpfs:\n     - /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=10001,gid=10001\n    cap_drop:\n     - all\n    container_name: freenginx\n    security_opt:\n      - no-new-privileges=true\n      - apparmor=docker-freenginx\n      - seccomp=./freenginx-seccomp.json\n    volumes:\n      - \"./conf:/etc/freenginx:ro\"\n...\n```\n\n### Example Deployment (PSS Restricted Level Compliant)\n```yaml\napiVersion: v1\nkind: Deployment\nmetadata:\n  name: freenginx-pss-restricted\nspec:\n  containers:\n  - name: freenginx\n    image: ammnt/freenginx:latest\n    securityContext:\n      capabilities:\n        drop:\n          - ALL\n      privileged: false\n      runAsUser: 10001\n      runAsGroup: 10001\n      seccompProfile:\n        type: RuntimeDefault\n      runAsNonRoot: true\n      readOnlyRootFilesystem: true\n      allowPrivilegeEscalation: false\n...\n```\n\n## 🔥 Why Choose This Image?\n\n### **GCC hardened compilation suite (-fhardened) providing comprehensive security:**\n- **Memory protection** - stack smashing protection, stack clash protection\n- **Control Flow Integrity** - full CFI protection against ROP/JOP attacks (Intel CET)\n- **Initialization hardening** - automatic zero-initialization to prevent data leaks\n- **Binary hardening** - position idependent executables (PIE) for ASLR (PaX ASLR, Linux kernel ASLR)\n- **Runtime protections** - FORTIFY_SOURCE level 3 for buffer overflow detection\n- **C++ assertions** - enhanced standard library security checks\n- **Linker hardening** - read-only relocations and immediate binding (ELF hardening, RELRO)\n\n### **Runtime Security**\n- **Rootless by design** - unprivileged runtime user (Docker Bench Security, OCI Runtime Specification)\n- **Distroless base** - built from `scratch` with zero bloat (SLSA Level 3 requirements)\n- **Minimal attack surface** - no shell, no package manager and no unnecessary modules (CIS Docker Benchmark, Principle of Least Privilege)\n- **Server header removal** - anonymous signature (\"security through obscurity\")\n- **Kubernetes PSS compliant** - fully conforms to Pod Security Standards (baseline \u0026 restricted)\n- **Docker security standards** - follows CIS Docker Benchmarks and best practices\n- **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000)\n- **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205)\n- **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001)\n\n### **Supply Chain Integrity**\n- **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations)\n- **Comprehensive scanning** by security tools (Scout, Trivy, Snyk, Grype, Dockle, Hadolint)\n- **SBOM generation** with Syft (NTIA Software Component Transparency)\n\n## 🚀 Ultimate Optimization\n\n### **Size Optimization**\n- **Multi-stage build** with Alpine builder + scratch final image (Dockerfile best practices, BuildKit optimizations)\n- **Static compilation** - static binary with minimal dependencies\n- **Mint tool integration** - slimmed version of the image\n- **UPX runtime efficiency** - minimal memory overhead with fast decompression (Executable compression)\n- **Binary stripping** and **LTO optimization** (DWARF debugging standard)\n\n### **Performance Features**\n- **zlib-ng** with modern compression algorithms (RFC 1950, RFC 1951, RFC 1952)\n- **PCRE2 with JIT** compilation for regex performance\n- **Thread pool support** for async I/O operations\n- **TCP Fast Open** and **SSL session resumption** (RFC 7413, RFC 8446)\n- **Graceful shutdown** - SIGQUIT handling for proper connection draining (RFC 7230)\n- **Brotli** and **ZSTD** compression mechanisms support (RFC 7932, RFC 8878)\n- **Native TLS compression** - support for certificate compression (RFC 8879)\n\n### **Quality Metrics**\n- **Image efficiency** - perfect score in Dive analysis (100%)\n- **Comprehensive OCI labels** - standardized metadata and annotations\n- **No excess ENTRYPOINT** - no unnecessary wrapper scripts or bloat (12-factor app methodology, Cloud Native patterns)\n- **Built-in HEALTHCHECK** - Configuration validation every 30s with 3s timeout (Docker HEALTHCHECK specification)\n\n## 🤝 Contributing \u0026 Support\n\nFound an issue or have an improvement?\n- [Open an Issue](https://github.com/ammnt/freenginx/issues/new?template=bug_report.md)\n- [Feature Request](https://github.com/ammnt/freenginx/issues/new?template=feature_request.md)\n\n\u003e **Note:** This image is designed for security-conscious production environments. For development purposes, consider using the official FreeNGINX image with full debugging capabilities.\n\n## 📄 License\n\nThis project is open source and maintained with ❤️ by [ammnt](https://msftcnsi.com).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fammnt%2Ffreenginx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fammnt%2Ffreenginx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fammnt%2Ffreenginx/lists"}