This will build a Docker image for Nginx, for serving websites
- Tracks Mainline release channel
- Many options configurable including compression, performance
- Includes Monitoring (nginx status) on port 73
- Includes Nginx Ultimate Bad Bot Blocker
- Logrotate Included to roll over log files at 23:59, compress and retain for 7 days
- Ability to Password Protect (Basic), LDAP Authenticate or use LemonLDAP:NG Handler
- About
- Maintainer
- Table of Contents
- Prerequisites and Assumptions
- Installation
- Configuration
- Maintenance
- Support
- License
- References
Clone this repository and build the image with docker build <arguments> (imagename) .
Builds of the image are available on Docker Hub
docker pull docker.io/tiredofit/nginx):(imagetag)
Builds of the image are also available on the Github Container Registry
docker pull ghcr.io/tiredofit/docker-nginx:(imagetag)
The following image tags are available along with their tagged release based on what's written in the Changelog:
| Alpine Base | Tag | Debian Base | Tag |
|---|---|---|---|
| latest | :latest |
latest | :debian |
| latest | :alpine |
Bookworm | :debian-bookworm |
| edge | :alpine-edge |
Bullseye | :debian-bullseye |
| 3.20 | :alpine-3.20 |
Buster | :debian-buster |
| 3.19 | :alpine-3.19 |
||
| 3.16 | :alpine-3.16 |
||
| 3.15 | :alpine-3.15 |
||
| 3.12 | :alpine-3.12 |
||
| 3.9 | :alpine-3.9 |
||
| 3.7 | :alpine-3.7 |
||
| 3.5 | :alpine-3.5 |
docker pull docker.io/tiredofit/nginx:(imagetag)Images are built primarily for amd64 architecture, and may also include builds for arm/v7, arm64 and others. These variants are all unsupported. Consider sponsoring my work so that I can work with various hardware. To see if this image supports multiple architecures, type docker manifest (image):(tag)
-
The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.
-
Set various environment variables to understand the capabilities of this image.
-
Map persistent storage for access to configuration and data files for backup.
-
Make networking ports available for public access if necessary
The container starts up and reads from /etc/nginx/nginx.conf for some basic configuration and to listen on port 73 internally for Nginx Status responses. Configuration of websites are done in /etc/services.available with the filename pattern of site.conf. You must set an environment variable for NGINX_SITE_ENABLED if you have more than one configuration in there if you only want to enable one of the configurartions, otherwise it will enable all of them. Use NGINX_SITE_ENABLED=null to break a parent image declaration.
Use this as a starting point for your site configurations:
server {
### Don't Touch This
listen {{NGINX_LISTEN_PORT}};
server_name localhost;
root {{NGINX_WEBROOT}};
###
### Populate your custom directives here
index index.html index.htm;
location / {
#
}
### Don't edit past here
include /etc/nginx/snippets/site_optimization.conf;
include /etc/nginx/snippets/exploit_protection.conf;
}The following directories are used for configuration and can be mapped for persistent storage.
| Directory | Description |
|---|---|
/www/html |
Drop your Datafiles in this Directory to be served by Nginx |
/www/logs |
Logfiles for Nginx error and Access |
This image relies on an Alpine Linux or Debian Linux base image that relies on an init system for added capabilities. Outgoing SMTP capabilities are handlded via msmtp. Individual container performance monitoring is performed by zabbix-agent. Additional tools include: bash,curl,less,logrotate, nano.
Be sure to view the following repositories to understand all the customizable options:
| Image | Description |
|---|---|
| OS Base | Customized Image based on Alpine Linux |
| OS Base | Customized Image based on Debian Linux |
You can choose to request visitors be authenticated before accessing your site. Options are below.
| Parameter | Description | Default | _FILE |
|---|---|---|---|
NGINX_AUTHENTICATION_TYPE |
Protect the site with BASIC, LDAP, LLNG |
NONE |
|
NGINX_AUTHENTICATION_TITLE |
Challenge response when visiting protected site | Please login |
|
NGINX_AUTHENTICATION_BASIC_USER1 |
If BASIC chosen enter this for the username to protect site |
admin |
x |
NGINX_AUTHENTICATION_BASIC_PASS1 |
If BASIC chosen enter this for the password to protect site |
password |
x |
NGINX_AUTHENTICATION_BASIC_USER2 |
As above, increment for more users | x | |
NGINX_AUTHENTICATION_BASIC_PASS2 |
As above, increment for more users | x | |
NGINX_AUTHENTICATION_LDAP_HOST |
Hostname and port number of LDAP Server - eg ldap://ldapserver:389 |
x | |
NGINX_AUTHENTICATION_LDAP_BIND_DN |
User to Bind to LDAP - eg cn=admin,dc=orgname,dc=org |
x | |
NGINX_AUTHENTICATION_LDAP_BIND_PW |
Password for Above Bind User - eg password |
x | |
NGINX_AUTHENTICATION_LDAP_BASE_DN |
Base Distringuished Name - eg dc=hostname,dc=com |
x | |
NGINX_AUTHENTICATION_LDAP_ATTRIBUTE |
Unique Identifier Attrbiute -ie uid |
||
NGINX_AUTHENTICATION_LDAP_SCOPE |
LDAP Scope for searching - eg sub |
||
NGINX_AUTHENTICATION_LDAP_FILTER |
Define what object that is searched for (ie objectClass=person) |
||
NGINX_AUTHENTICATION_LDAP_GROUP_ATTRIBUTE |
If searching inside of a group what is the Group Attribute - eg uniquemember |
||
NGINX_AUTHENTICATION_LLNG_HANDLER_HOST |
If LLNG chosen use hostname and port of handler. Add multiple by seperating with comments |
llng-handler:2884 |
x |
NGINX_AUTHENTICATION_LLNG_HANDLER_PORT |
If LLNG chosen use this port for handler |
2884 |
x |
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1 |
Syntax: HEADER_NAME, Variable, Upstream Variable - See note below | ||
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 |
Syntax: HEADER_NAME, Variable, Upstream Variable - See note below |
When working with NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 you will need to omit any $ chracters from your string. It will be added in upon container startup. Example:
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid will get converted into HTTP_AUTH_USER,$uid,$upstream_http_uid and get placed in the appropriate areas in the configuration.
| Parameter | Description | Default |
|---|---|---|
NGINX_BLOCK_BOTS_WHITELIST_DOMAIN |
Domains to whitelist from blocking comma seperated e.g. example1.com,example2.com |
|
NGINX_BLOCK_BOTS_WHITELIST_IP |
IP Addresses/Networks to Whitelist from Blocking comma seperated | 127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/24 |
NGINX_BLOCK_BOTS |
Bots to Block ALL AOL BING DOCOMO DUCKDUCKGO FACEBOOK GOOGLE LINKEDIN MISC MSN SAMSUNG SLACK SLURP TWITTER WORDPRESS YAHOO or yourcustom-useragent in Comma Seperated values |
|
NGINX_ENABLE_BLOCK_BOTS |
Block Bots and Crawlers | FALSE |
For more details on how Bot Blocking works please visit Nginx Ultimate Bad Bot Blocker
| Parameter | Description | Default |
|---|---|---|
NGINX_LOG_ACCESS_FILE |
Nginx websites access logs | access.log |
NGINX_LOG_ACCESS_LOCATION |
Location inside container for saving logs | /www/logs/nginx |
NGINX_LOG_ACCESS_FORMAT |
Log Format standard or json |
standard |
NGINX_LOG_BLOCKED_FILE |
If exploit protection TRUE |
access.log |
NGINX_LOG_BLOCKED_LOCATION |
Location inside container for saving logs | /www/logs/nginx |
NGINX_LOG_BLOCKED_FORMAT |
Log Format standard or json |
standard |
NGINX_LOG_ERROR_FILE |
Nginx server and websites error log name | error.log |
NGINX_LOG_ERROR_LOCATION |
Location inside container for saving logs | /www/logs/nginx |
NGINX_LOG_LEVEL_ERROR |
How much verbosity to use with error logs | warn |
Presently you can compress your served content with gzip and brotli. More compression options to come in future..
| Parameter | Description | Default |
|---|---|---|
NGINX_ENABLE_COMPRESSION_BROTLI |
Enable Brotli Compression | TRUE |
NGINX_COMPRESSION_BROTLI_LEVEL |
Compression Level for Brotli | 6 |
NGINX_COMPRESSION_BROTLI_MIN_LENGTH |
Minimum length of content before compressing | 20 |
NGINX_COMPRESSION_BROTLI_TYPES |
What filetypes to compress | text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml |
NGINX_COMPRESSION_BROTLI_WINDOW |
512k |
|
NGINX_ENABLE_COMPRESSION_GZIP |
Enable GZIP Compression | TRUE |
NGINX_COMPRESSION_GZIP_BUFFERS |
16 8k |
|
NGINX_COMPRESSION_GZIP_DISABLE |
Don't compress for these user agents | MSIE [1-6].(?!.*SV1) |
NGINX_COMPRESSION_GZIP_HTTP_VERSION |
1.1 |
|
NGINX_COMPRESSION_GZIP_LEVEL |
Compression Level | 6 |
NGINX_COMPRESSION_GZIP_MIN_LENGTH |
Minimum length of content before compressing | 10240 |
NGINX_COMPRESSION_GZIP_PROXIED |
expired no-cache no-store private auth |
|
NGINX_COMPRESSION_GZIP_TYPES |
Types of content to compress | text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml |
NGINX_COMPRESSION_GZIP_VARY |
TRUE |
| Parameter | Description | Default |
|---|---|---|
NGINX_ENABLE_DDOS_PROTECTION |
Enable simple DDoS Protection | FALSE |
NGINX_DDOS_CONNECTIONS_PER_IP |
Limit amount of connections per IP | 10m |
NGINX_DDOS_REQUESTS_PER_IP |
Limit amount of requests per IP | 5r/s |
| Parameter | Description | Default |
|---|---|---|
NGINX_ENABLE_FASTCGI_HTTPS |
Set fastcgi_param HTTPS 'on' | FALSE |
NGINX_ENABLE_REVERSE_PROXY |
Helpers for when behind a reverse proxy | TRUE |
NGINX_REAL_IP_HEADER |
What is the header passed containing the visitors IP | X-Forwarded-For |
NGINX_SET_REAL_IP_FROM |
Set the network of your Docker Network if having IP lookup issues | 172.16.0.0/12 |
| Parameter | Description | Default |
|---|---|---|
NGINX_ENABLE_APPLICATION_CONFIGURATION |
Don't automatically setup /etc/nginx/sites.available files - Useful for volume mapping/overriding | TRUE |
NGINX_ENABLE_CREATE_SAMPLE_HTML |
If no index.html found - create a sample one to prove container works | TRUE |
NGINX_ENABLE_SITE_OPTIMIZATIONS |
Deny access to some files and URLs, send caching tags | TRUE |
NGINX_INCLUDE_CONFIGURATION |
Include configuration in your website application file. eg /www/website/nginx.conf |
|
NGINX_RELOAD_ON_CONFIG_CHANGE |
Automatically reload nginx on configuration file change | FALSE |
NGINX_LISTEN_PORT |
Nginx listening port | 80 |
NGINX_POST_INIT_SCRIPT |
If you wish to run a bash script before the nginx process runs enter the path here, seperate multiple by commas. | |
NGINX_WEBROOT |
Where to serve content from inside the container | /www/html |
NGINX_WEBROOT_SUFFIX |
Append a suffix onto the nginx configuration to serve files from a subfolder e.g. /public |
| Parameter | Description | Default |
|---|---|---|
NGINX_FORCE_RESET_PERMISSIONS |
Force setting Nginx files ownership to web server user | TRUE |
NGINX_MODE |
Set to NORMAL, MAINTENANCE , PROXY, REDIRECT |
NORMAL |
NGINX_REDIRECT_URL |
If REDIRECT set enter full url to forward all traffic to eg https://example.com |
|
NGINX_PROXY_URL |
If REDIRECT set enter full url to proxy all traffic to eg https://example.com:443 |
|
NGINX_SITE_ENABLED |
What sites to enable in /etc/nginx/sites.available Don't use .conf suffix |
ALL |
NGINX_USER |
What user to run nginx as inside container | nginx |
NGINX_GROUP |
What group to run nginx as inside container | www-data |
If set to MAINTNENANCE a single page will show visitors that the server is being worked on.
| Parameter | Description | Default |
|---|---|---|
NGINX_MAINTENANCE_TYPE |
Serve local file or redirect or proxy to a URL |
local |
NGINX_MAINTENANCE_PATH |
(local) Path where the maintenance page resides | /assets/nginx/maintenance |
NGINX_MAINTENANCE_FILE |
(local) File to load while in maintenance mode | index.html |
NGINX_MAINTENANCE_REMOTE_URL |
(local) If you wish to download an html file from a remote location to overwrite the above enter the URL here | |
NGINX_MAINTENANCE_PROXY_URL |
What url eg https://example.com to transparently proxy for the user when they visit the site |
http://maintenance |
NGINX_MAINTENANCE_REDIRECT_URL |
What url eg https://example.com to redirect in a uers browser when they visit the site |
You can also enter into the container and type maintenance ARG, where ARG is either ON,OFF, or SLEEP (seconds) which will temporarily place the site in maintenance mode and then restore it back to normal after time has passed.
| Parameter | Description | Default |
|---|---|---|
NGINX_CLIENT_BODY_TIMEOUT |
Request timed out | 60 |
NGINX_ENABLE_EPOLL |
Optmized to serve many clients with each thread, essential for linux | TRUE |
NGINX_ENABLE_MULTI_ACCEPT |
Accept as many connections as possible, may flood worker connections if set too low | TRUE |
NGINX_ENABLE_RESET_TIMEDOUT_CONNECTION |
Allow the server to close connection on non responding client, this will free up memory | TRUE |
NGINX_ENABLE_SENDFILE |
Copies data between one FD and other from within the kernel | TRUE |
NGINX_ENABLE_SERVER_TOKENS |
Show Nginx version on responses | FALSE |
NGINX_ENABLE_TCPNODELAY |
Don't buffer data sent, good for small data bursts in real time | TRUE |
NGINX_ENABLE_TCPNOPUSH |
Send headers in one peace, its better then sending them one by one | TRUE |
NGINX_ENABLE_UPSTREAM_KEEPALIVE |
Reuse connections when using upstream (LLNG Auth, FastCGI etc) | TRUE |
NGINX_KEEPALIVE_REQUESTS |
Number of requests client can make over keep-alive | 100000 |
NGINX_KEEPALIVE_TIMEOUT |
Server will close connection after this time | 75 |
NGINX_SEND_TIMEOUT |
If client stop responding, free up memory | 60 |
NGINX_UPLOAD_MAX_SIZE |
Maximum Upload Size | 2G |
NGINX_WORKER_CONNECTIONS |
Determines how much clients will be served per worker | 1024 |
NGINX_WORKER_PROCESSES |
How many processes to spawn | auto |
NGINX_WORKER_RLIMIT_NOFILE |
Number of file descriptors used for nginx | 100000 |
NGINX_ENABLE_OPEN_FILE_CACHE |
Cache informations about FDs, frequently accessed files | TRUE |
NGINX_ENABLE_OPEN_FILE_CACHE_ERRORS |
Cache errors like 404 | TRUE |
NGINX_OPEN_FILE_CACHE_INACTIVE |
Stop caching after inactive | 5m |
NGINX_OPEN_FILE_CACHE_MAX |
Maximum files to cache | 200000 |
NGINX_OPEN_FILE_CACHE_MIN_USES |
Minimum uses of file before cashing | 2 |
NGINX_OPEN_FILE_CACHE_VALID |
Cache a file if has been accessed within this window | 2m |
NGINX_ENABLE_PROXY_BUFFERING |
Enable Proxy Buffering | TRUE |
NGINX_PROXY_BUFFERS |
Proxy Buffers | 4 256k |
NGINX_PROXY_BUFFER_SIZE |
Proxy Buffer Size | 128k |
NGINX_PROXY_BUSY_BUFFERS_SIZE |
Proxy Busy Buffers Size | 256k |
NGINX_CLIENT_BODY_BUFFER_SIZE |
Client Buffer size | 16k |
NGINX_UPSTREAM_KEEPALIVE |
Keepalive connections to utilize for upstream | 32 |
NGINX_FASTCGI_BUFFERS |
Amount of FastCGI Buffers | 16 16k |
NGINX_FASTCGI_BUFFER_SIZE |
FastCGI Buffer Size | 32k |
NGINX_SERVER_NAMES_HASH_BUCKET_SIZE |
Server names hash size (256`` if NGINX_ENABLE_BLOCK_BOTS=TRUE`) |
32 |
The following ports are exposed.
| Port | Description |
|---|---|
80 |
HTTP |
For debugging and maintenance purposes you may want access the containers shell.
bash docker exec -it (whatever your container name is) bash
These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.
- The Discussions board is a great place for working with the community on tips and tricks of using this image.
- Sponsor me for personalized support
- Please, submit a Bug Report if something isn't working as expected. I'll do my best to issue a fix in short order.
- Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
- Sponsor me regarding development of features.
- Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
- Sponsor me for up to date releases.
MIT. See LICENSE for more details.