Distroless FreeNGINX with HTTP/3 and QUIC support🚀

Important

QuicTLS is now deprecated. I made a choice in favor of OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️

Tip

You can find an example configuration file in the repository for successfully configuring HTTP3 and PQC💡

The Docker image is ready to use:
ghcr.io/ammnt/freenginx:latest
or
docker.io/ammnt/freenginx:latest
or with Docker Compose deploy:

services:
  freenginx:
    image: docker.io/ammnt/freenginx:latest
    user: "101:101"
    read_only: true
    privileged: false
    tmpfs:
     - /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=101,gid=101
    cap_drop:
     - all
    container_name: freenginx
    security_opt:
      - no-new-privileges:true
      - apparmor:docker-freenginx
      - seccomp:./freenginx-seccomp.json
    volumes:
      - "./conf:/etc/freenginx:ro"
      - "/etc/timezone:/etc/timezone:ro"
      - "/etc/localtime:/etc/localtime:ro"
...

Description:

Base image: Alpine Linux (only ~5 MB);
Hardened image (secure, minimal and production-ready) - recommended to use in Rootless mode:
https://docs.docker.com/engine/security/rootless/
Runtime on scratch image - with zero bloat;
Multi-stage building with statically linked binary;
Support for hybrid post-quantum key exchange algorithms in elliptic curves (PQC);
OpenSSL with HTTP/3 and QUIC support:
https://github.com/openssl/openssl
HTTP/2 with ALPN support;
TLS 1.3 and 0-RTT support;
TLS 1.2 and TCP Fast Open (TFO) support;
Built using hardening GCC flags;
NJS and Brotli support;
PCRE with JIT compilation;
zlib-ng library latest version;
Rootless master process (unprivileged container);
Async I/O threads module;
"Distroless" image - reduced attack surface (removed SHELL, UNIX tools, package manager etc);
Removed unnecessary modules;
Added OCI labels and annotations;
No excess ENTRYPOINT in the image;
Slimmed version by Docker Slim tool;
Image efficiency score 100% according to Dive utility;
Scanned by vulnerability scanners: GitHub CodeQL, Docker Scout, Snyk, Grype, Dockle and Syft;
Prioritize ChaCha cipher patch and anonymous signature - removed "Server" header ("banner"):
https://github.com/ammnt/freenginx/blob/main/Dockerfile

Note:

Feel free to contact me with more improvements🙋

Name		Name	Last commit message	Last commit date
Latest commit History 315 Commits
.github		.github
.dockerignore		.dockerignore
.gitignore		.gitignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
cosign.pub		cosign.pub
default.conf		default.conf
freenginx-seccomp.json		freenginx-seccomp.json
freenginx.conf		freenginx.conf
freenginx.toml		freenginx.toml
freenginx_http3.conf		freenginx_http3.conf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Distroless FreeNGINX with HTTP/3 and QUIC support🚀

Description:

Note:

About

Uh oh!

Releases 5

Packages

Uh oh!

Uh oh!

Contributors 2

Uh oh!

Languages

License

ammnt/freenginx

Folders and files

Latest commit

History

Repository files navigation

Distroless FreeNGINX with HTTP/3 and QUIC support🚀

Description:

Note:

About

Topics

Resources

License

Code of conduct

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 5

Packages 0

Uh oh!

Uh oh!

Contributors 2

Uh oh!

Languages

Packages