Production-ready, security-focused NGINX image with HTTP/3, QUIC and PQC support.
Important
QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC
Tip
You can find an example configuration file in the repository for successfully configuring HTTP/3 and PQC💡
Docker Hub:
ammnt/nginx:latest
GitHub Container Registry:
ghcr.io/ammnt/nginx:latest
All images are signed with Cosign and include provenance attestation.
docker run -d \
--name nginx \
-p 80:8080 \
-p 443:8443 \
ammnt/nginx:latestservices:
nginx:
image: ammnt/nginx:latest
user: "101:101"
read_only: true
privileged: false
tmpfs:
- /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=101,gid=101
cap_drop:
- all
container_name: nginx
security_opt:
- no-new-privileges=true
- apparmor=docker-nginx
- seccomp=./nginx-seccomp.json
volumes:
- "./conf:/etc/nginx:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
...- 30+ GCC security flags including:
-D_FORTIFY_SOURCE=3,-fhardened,-fstack-protector-strong-fstack-clash-protection,-fPIE,-pie-ftrivial-auto-var-init=zero(prevents data leaks)-fcf-protection=full(Control-Flow Integrity)
- Read-Only Relocations (
-Wl,-z,relro,-z,now) - Stack execution protection and buffer overflow guards
- Rootless by design (
USER nginx) - Distroless base - built from
scratchwith zero bloat - Minimal attack surface - no shell, no package manager and 15+ unnecessary modules removed
- Server header removal - security through obscurity
- Native HTTP/3 support - OpenSSL and QUIC without patches or experimental implementations
- Native PQC support - hybrid post-quantum key exchange algorithms in elliptic curves
- TLS 1.3 with 0-RTT and post-quantum hybrid key exchange
- Cosign-signed images signatures and SLSA attestation
- SLSA provenance attestation
- Comprehensive scanning - 7+ security tools (Docker Scout, Trivy, Snyk, Grype, Dockle, Syft, Dive)
- SBOM generation with Syft
- Multi-stage build with Alpine builder + scratch final image
- Static compilation - static binary with 30+ GCC hardening flags and minimal dependencies
- Docker Slim integration - automatic dead code elimination
- Binary stripping and LTO optimization
- zlib-ng with modern compression algorithms
- PCRE2 with JIT compilation for regex performance
- Thread pool support for async I/O operations
- TCP Fast Open and SSL session resumption
- ChaCha20 prioritization - Custom patch for modern cipher preference
- Anonymous signature - stripped version information from binaries
- Image efficiency - perfect score in Dive analysis (100%)
- Comprehensive OCI labels - standardized metadata and annotations
- No excess ENTRYPOINT - no unnecessary wrapper scripts or bloat
https://docs.docker.com/engine/security/rootless/
Found an issue or have an improvement?
Note: This image is designed for security-conscious production environments. For development purposes, consider using the official NGINX image with full debugging capabilities.
This project is open source and maintained with ❤️ by ammnt.