Stable and up-to-date nginx with QUIC + HTTP/3 support, Google's brotli
compression and Grade A+ SSL config
As this project is based on the official nginx image look for instructions there. In addition to the standard configuration directives, you'll be able to use the brotli module specific ones, see here for official documentation
docker pull macbre/nginx-brotli:1.19.6-http3
Please refer to the list of image tags as there more recent nginx versions there (but without http3 support).
$ docker run -it macbre/nginx-brotli nginx -V
nginx version: nginx/1.19.6 (quiche-567cc5e)
built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --with-http_v3_module --with-openssl=/usr/src/quiche/deps/boringssl --with-quiche=/usr/src/quiche --add-module=/usr/src/ngx_brotli --build=quiche-567cc5e
Please refer to Mozilla's SSL Configuration Generator. This image has https://ssl-config.mozilla.org/ffdhe2048.txt
DH parameters for DHE ciphers fetched and stored in /etc/ssl/dhparam.pem
:
ssl_dhparam /etc/ssl/dhparam.pem;
.conf
files mounted in/etc/nginx/main.d
will be included in themain
nginx context (e.g. you can callenv
directive there).conf
files mounted in/etc/nginx/conf.d
will be included in thehttp
nginx context
Please refer to tests/https.conf
config file for an example config used by the tests. And to Cloudflare docs on how to enable http/3 support in your browser.
server {
# quic and http/3
listen 443 quic reuseport;
# http/2
listen 443 ssl http2;
server_name localhost; # customize to match your domain
# you need to mount these files when running this container
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
# Enable all TLS versions (TLSv1.3 is required for QUIC).
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# 0-RTT QUIC connection resumption
ssl_early_data on;
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400';
location / {
# your config
}
}
Refer to run-docker.sh
script on how to run this container and properly mount required config files and assets.