The Docker image is ready to use:
ghcr.io/ammnt/freenginx:latest
or
docker.io/ammnt/freenginx:latest
or with Docker Compose deployment:
services:
freenginx:
image: docker.io/ammnt/freenginx:latest
user: "101:101"
read_only: true
privileged: false
tmpfs:
- /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=101,gid=101
cap_drop:
- all
container_name: freenginx
security_opt:
- no-new-privileges:true
- apparmor:docker-freenginx
- seccomp:./freenginx-seccomp.json
volumes:
- "./conf:/etc/freenginx:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
...
- Base image: Alpine Linux (only ~5 MB);
- Runtime on scratch image - with zero bloat;
- Multi-stage building with statically linked binary;
- OpenSSL with HTTP/3 and QUIC support:
https://github.com/openssl/openssl - HTTP/2 with ALPN support;
- TLS 1.3 and 0-RTT support;
- TLS 1.2 and TCP Fast Open (TFO) support;
- Built using hardening GCC flags;
- NJS and Brotli support;
- PCRE with JIT compilation;
- zlib library latest version;
- Rootless master process (unprivileged container);
- Async I/O threads module;
- "Distroless" image - reduced attack surface (removed SHELL, UNIX tools, package manager etc);
- Removed unnecessary modules;
- Added OCI labels and annotations;
- No excess ENTRYPOINT in the image;
- Slimmed version by Docker Slim tool;
- Image efficiency score 100% according to Dive utility;
- Scanned by vulnerability scanners: GitHub, Docker Scout, Snyk, Grype, Dockle and Syft;
- Prioritize ChaCha cipher patch and anonymous signature - removed "Server" header ("banner"):
https://github.com/ammnt/freenginx/blob/main/Dockerfile
Feel free to contact me with more improvements🙋