A fork of https://github.com/ricardbejarano/nginx with KTLS enabled and some optimization flags. Used for the different Invidious backends that I host.
https://man.freebsd.org/cgi/man.cgi?ktls(4) | https://www.f5.com/company/blog/nginx/improving-nginx-performance-with-kernel-tls | https://www.kernel.org/doc/html/latest/networking/tls-offload.html
ddaf1a58e4
git was previously required because it was used to pull dependencies of the ngx_brotli module, but when brotli support was dropped, building without git installed still failed. That's because git requires perl, and building NGINX too, so removing git removed perl, making the build fail. |
||
|---|---|---|
| glibc | ||
| musl | ||
| rootfs | ||
| tests | ||
| LICENSE | ||
| README.md | ||
nginx (Docker image)
Built-from-source container image of the NGINX HTTP server
Available at ricardbejarano/nginx.
Tags
1.15.12-glibc, 1.15.12, glibc, latest (glibc/Dockerfile)
1.15.12-musl, musl (musl/Dockerfile)
Features
- Super tiny (
glibc-based is~13.2MBandmusl-based is~12.5MB) - Built from source, including libraries
- Built
FROM scratch, see the Filesystem section below for an exhaustive list of the image's contents - Included TLS1.3 protocol support (with OpenSSL)
- Reduced attack surface (no
bash, no UNIX tools, no package manager...) - Built with exploit mitigations enabled (see Security)
Building
To build the glibc-based image:
$ git clone https://github.com/ricardbejarano/nginx
$ cd nginx
$ docker build -t nginx:glibc -f glibc/Dockerfile .
To build the musl-based image:
$ git clone https://github.com/ricardbejarano/nginx
$ cd nginx
$ docker build -t nginx:musl -f musl/Dockerfile .
Security
This image attempts to build a secure NGINX Docker image.
It does so by the following ways:
- downloading and verifying the source code of NGINX and every library it is built with,
- packaging the image with only those files required during runtime (see Filesystem),
- by enforcing a series of exploit mitigations (PIE, full RELRO, full SSP, NX and Fortify)
Verifying the presence of exploit mitigations
To check whether a binary in a Docker image has those mitigations enabled, use tests/checksec.sh.
Usage
usage: checksec.sh docker_image executable_path
Docker-based wrapper for checksec.sh.
Requires a running Docker daemon.
Example:
$ checksec.sh ricardbejarano/nginx:glibc /nginx
Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image,
downloads checksec (github.com/slimm609/checksec.sh) and runs it on the
binary.
Everything runs inside Docker containers.
Example:
Testing the /nginx binary in ricardbejarano/nginx:glibc:
$ bash tests/checksec.sh ricardbejarano/nginx:glibc /nginx
Downloading ricardbejarano/nginx:glibc...Done!
Extracting ricardbejarano/nginx:glibc:/nginx...Done!
Downloading checksec.sh...Done!
Running checksec.sh:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 11563 Symbols Yes 0 34 /tmp/.checksec-ui8eKi3Q
Cleaning up...Done!
This wrapper script works with any binary in a Docker image. Feel free to use it with any other image.
Other examples:
bash tests/checksec.sh debian /bin/bashbash tests/checksec.sh alpine /bin/shbash tests/checksec.sh nginx /usr/sbin/nginx
Filesystem
The images' contents are:
glibc
Based on the glibc implementation of libc.
/
├── etc/
│ ├── group/
│ ├── nginx/
│ │ ├── html/
│ │ │ ├── 50x.html
│ │ │ └── index.html
│ │ ├── mime.types
│ │ └── nginx.conf
│ └── passwd
├── lib/
│ └── x86_64-linux-gnu/
│ ├── libc.so.6
│ ├── libcrypt.so.1
│ ├── libdl.so.2
│ ├── libnss_dns.so.2
│ ├── libnss_files.so.2
│ ├── libpthread.so.0
│ └── libresolv.so.2
├── lib64/
│ └── ld-linux-x86-64.so.2
├── nginx
└── tmp/
└── .keep
musl
Based on the musl implementation of libc.
/
├── etc/
│ ├── group
│ ├── nginx/
│ │ ├── html/
│ │ │ ├── 50x.html
│ │ │ └── index.html
│ │ ├── mime.types
│ │ └── nginx.conf
│ └── passwd
├── nginx
└── tmp/
└── .keep
License
See LICENSE.