{"id":34711711,"url":"https://github.com/ammnt/nginx","last_synced_at":"2026-04-02T15:33:00.830Z","repository":{"id":133838732,"uuid":"607754479","full_name":"ammnt/nginx","owner":"ammnt","description":"Distroless NGINX with HTTP/3, QUIC and PQC support🚀","archived":false,"fork":false,"pushed_at":"2026-03-09T09:41:30.000Z","size":747,"stargazers_count":13,"open_issues_count":1,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-09T13:31:00.317Z","etag":null,"topics":["0-rtt","alpine","alpn","chacha","chacha20-poly1305","distroless","docker","fastopen","http2","http3","https","ktls","mainline","nginx","openssl","pqc","quic","rootless","tls","unprivileged"],"latest_commit_sha":null,"homepage":"https://msftcnsi.com","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ammnt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-02-28T16:00:24.000Z","updated_at":"2026-03-07T14:01:34.000Z","dependencies_parsed_at":"2026-03-09T11:06:33.395Z","dependency_job_id":null,"html_url":"https://github.com/ammnt/nginx","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/ammnt/nginx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Fnginx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Fnginx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Fnginx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Fnginx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ammnt","download_url":"https://codeload.github.com/ammnt/nginx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ammnt%2Fnginx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30615539,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T04:46:40.957Z","status":"ssl_error","status_checked_at":"2026-03-17T04:46:32.538Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0-rtt","alpine","alpn","chacha","chacha20-poly1305","distroless","docker","fastopen","http2","http3","https","ktls","mainline","nginx","openssl","pqc","quic","rootless","tls","unprivileged"],"created_at":"2025-12-25T00:22:32.764Z","updated_at":"2026-04-02T15:33:00.807Z","avatar_url":"https://github.com/ammnt.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 Distroless NGINX: Hardened \u0026 Optimized image\n\n[![CI/CD](https://github.com/ammnt/nginx/actions/workflows/build.yml/badge.svg)](https://github.com/ammnt/nginx/actions/workflows/build.yml)\n![Version](https://img.shields.io/github/v/release/ammnt/nginx)\n[![GitHub stars](https://img.shields.io/github/stars/ammnt/nginx.svg)](https://github.com/ammnt/nginx/stargazers)\n![Feature](https://img.shields.io/badge/feature-distroless-blue)\n[![GitHub issues open](https://img.shields.io/github/issues/ammnt/nginx.svg)](https://github.com/ammnt/nginx/issues)\n![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange)\n![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow)\n\n\u003e **Production-ready, security-focused NGINX image with HTTP/3, QUIC and PQC support.**\n\n\u003e [!IMPORTANT]\n\u003e QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️\n\n\u003e [!IMPORTANT]\n\u003e NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️\n\n\u003e [!TIP]\n\u003e You can find an example [configuration file](example.conf) in the repository for successfully configuring HTTP/3 and PQC💡\n\n\u003e [!IMPORTANT]\n\u003e UID/GID changed to 10001 - it's [recommended](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Kubernetes and prevents conflicts with system users⚠️\n\n## 🌐 Image Variants\n\nDocker Hub:\u003cbr\u003e\n\u003e **ammnt/nginx:latest**\n\nGitHub Container Registry:\u003cbr\u003e\n\u003e **ghcr.io/ammnt/nginx:latest**\n\n## 📦 Quick Start\n\n### Docker Run\n```bash\ndocker run -d \\\n  --name nginx \\\n  -p 80:8080 \\\n  -p 443:8443 \\\n  ammnt/nginx:latest\n```\n\n## 🔧 Advanced Configuration\n\n## 🎯 Recommended to use in Rootless mode:\u003cbr\u003e\nhttps://docs.docker.com/engine/security/rootless/\n\n### Docker Compose (Recommended)\n```yaml\nservices:\n  nginx:\n    image: ammnt/nginx:latest\n    user: \"10001:10001\"\n    read_only: true\n    privileged: false\n    tmpfs:\n     - /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=10001,gid=10001\n    cap_drop:\n     - all\n    container_name: nginx\n    security_opt:\n      - no-new-privileges=true\n      - apparmor=docker-nginx\n      - seccomp=./nginx-seccomp.json\n    volumes:\n      - \"./conf:/etc/nginx:ro\"\n...\n```\n\n### Example Deployment (PSS Restricted Level Compliant)\n```yaml\napiVersion: v1\nkind: Deployment\nmetadata:\n  name: nginx-pss-restricted\nspec:\n  containers:\n  - name: nginx\n    image: ammnt/nginx:latest\n    securityContext:\n      capabilities:\n        drop:\n          - ALL\n      privileged: false\n      runAsUser: 10001\n      runAsGroup: 10001\n      seccompProfile:\n        type: RuntimeDefault\n      runAsNonRoot: true\n      readOnlyRootFilesystem: true\n      allowPrivilegeEscalation: false\n...\n```\n\n## 🔥 Why Choose This Image?\n\n### **GCC hardened compilation suite (-fhardened) providing comprehensive security:**\n- **Memory protection** - stack smashing protection, stack clash protection\n- **Control Flow Integrity** - full CFI protection against ROP/JOP attacks (Intel CET)\n- **Initialization hardening** - automatic zero-initialization to prevent data leaks\n- **Binary hardening** - position idependent executables (PIE) for ASLR (PaX ASLR, Linux kernel ASLR)\n- **Runtime protections** - FORTIFY_SOURCE level 3 for buffer overflow detection\n- **C++ assertions** - enhanced standard library security checks\n- **Linker hardening** - read-only relocations and immediate binding (ELF hardening, RELRO)\n\n### **Runtime Security**\n- **Rootless by design** - unprivileged runtime user (Docker Bench Security, OCI Runtime Specification)\n- **Distroless base** - built from `scratch` with zero bloat (SLSA Level 3 requirements)\n- **Minimal attack surface** - no shell, no package manager and no unnecessary modules (CIS Docker Benchmark, Principle of Least Privilege)\n- **Server header removal** - anonymous signature (\"security through obscurity\")\n- **Kubernetes PSS compliant** - fully conforms to Pod Security Standards (baseline \u0026 restricted)\n- **Docker security standards** - follows CIS Docker Benchmarks and best practices\n- **Native QUIC and HTTP/3 support** - OpenSSL and QUIC without patches or experimental implementations (RFC 9114, RFC 9000)\n- **Native PQC support** - hybrid post-quantum key exchange algorithms in elliptic curves (NIST PQC Standardization, FIPS 203/204/205)\n- **Native TLS 1.3 with 0-RTT** (RFC 8446, RFC 9001)\n\n### **Supply Chain Integrity**\n- **Signed images** - signatures and **provenance attestation** (SLSA Level 3 requirements, in-toto attestations)\n- **Comprehensive scanning** by security tools (Scout, Trivy, Snyk, Grype, Dockle, Hadolint)\n- **SBOM generation** with Syft (NTIA Software Component Transparency)\n\n## 🚀 Ultimate Optimization\n\n### **Size Optimization**\n- **Multi-stage build** with Alpine builder + scratch final image (Dockerfile best practices, BuildKit optimizations)\n- **Static compilation** - static binary with minimal dependencies\n- **Mint tool integration** - slimmed version of the image\n- **UPX runtime efficiency** - minimal memory overhead with fast decompression (Executable compression)\n- **Binary stripping** and **LTO optimization** (DWARF debugging standard)\n\n### **Performance Features**\n- **zlib-ng** with modern compression algorithms (RFC 1950, RFC 1951, RFC 1952)\n- **PCRE2 with JIT** compilation for regex performance\n- **Thread pool support** for async I/O operations\n- **TCP Fast Open** and **SSL session resumption** (RFC 7413, RFC 8446)\n- **Graceful shutdown** - SIGQUIT handling for proper connection draining (RFC 7230)\n- **Brotli** and **ZSTD** compression mechanisms support (RFC 7932, RFC 8878)\n- **Native TLS compression** - support for certificate compression (RFC 8879)\n\n### **Quality Metrics**\n- **Image efficiency** - perfect score in Dive analysis (100%)\n- **Comprehensive OCI labels** - standardized metadata and annotations\n- **No excess ENTRYPOINT** - no unnecessary wrapper scripts or bloat (12-factor app methodology, Cloud Native patterns)\n- **Built-in HEALTHCHECK** - Configuration validation every 30s with 3s timeout (Docker HEALTHCHECK specification)\n\n## 🤝 Contributing \u0026 Support\n\nFound an issue or have an improvement?\n- [Open an Issue](https://github.com/ammnt/nginx/issues/new?template=bug_report.md)\n- [Feature Request](https://github.com/ammnt/nginx/issues/new?template=feature_request.md)\n\n\u003e **Note:** This image is designed for security-conscious production environments. For development purposes, consider using the official NGINX image with full debugging capabilities.\n\n## 📄 License\n\nThis project is open source and maintained with ❤️ by [ammnt](https://msftcnsi.com).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fammnt%2Fnginx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fammnt%2Fnginx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fammnt%2Fnginx/lists"}