Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.
Important
QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC
Important
NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies
Tip
You can find an example configuration file in the repository for successfully configuring HTTP/3 and PQC💡
Important
UID/GID changed to 10001 - it's recommended for Kubernetes and prevents conflicts with system users
Docker Hub:
ammnt/freenginx:latest
GitHub Container Registry:
ghcr.io/ammnt/freenginx:latest
docker run -d \
--name freenginx \
-p 80:8080 \
-p 443:8443 \
ammnt/freenginx:latesthttps://docs.docker.com/engine/security/rootless/
services:
freenginx:
image: ammnt/freenginx:latest
user: "10001:10001"
read_only: true
privileged: false
tmpfs:
- /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=10001,gid=10001
cap_drop:
- all
container_name: freenginx
security_opt:
- no-new-privileges=true
- apparmor=docker-freenginx
- seccomp=./freenginx-seccomp.json
volumes:
- "./conf:/etc/freenginx:ro"
...apiVersion: v1
kind: Deployment
metadata:
name: freenginx-pss-restricted
spec:
containers:
- name: freenginx
image: ammnt/freenginx:latest
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsUser: 10001
runAsGroup: 10001
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
...- GCC security flags including:
-D_FORTIFY_SOURCE=3,-fhardened,-fstack-protector-strong-fstack-clash-protection,-ftrivial-auto-var-init=zero(prevents data leaks)-fcf-protection=full(Control-Flow Integrity)
- Read-Only Relocations (
-Wl,-z,relro,-z,now) - Stack execution protection and buffer overflow guards
- Rootless by design - unprivileged runtime user
- Distroless base - built from
scratchwith zero bloat - Minimal attack surface - no shell, no package manager and no unnecessary modules
- Server header removal - anonymous signature ("security through obscurity")
- Kubernetes PSS compliant - fully conforms to Pod Security Standards (Baseline & Restricted)
- Docker security standards - follows CIS Docker Benchmarks and best practices
- Native HTTP/3 support - OpenSSL and QUIC without patches or experimental implementations
- Native PQC support - hybrid post-quantum key exchange algorithms in elliptic curves
- Native TLS 1.3 with 0-RTT
- Signed images - signatures and SLSA provenance attestation
- Comprehensive scanning - by security tools (Scout, Trivy, Snyk, Grype, Dockle, Hadolint)
- SBOM generation with Syft
- Multi-stage build with Alpine builder + scratch final image
- Static compilation - static binary with minimal dependencies
- Mint tool integration - slimmed version of the image
- UPX runtime efficiency - minimal memory overhead with fast decompression
- Binary stripping and LTO optimization
- zlib-ng with modern compression algorithms
- PCRE2 with JIT compilation for regex performance
- Thread pool support for async I/O operations
- TCP Fast Open and SSL session resumption
- Graceful shutdown - SIGQUIT handling for proper connection draining
- Brotli compression support
- ZSTD compression support
- ChaCha20 prioritization - custom patch for modern cipher preference
- Image efficiency - perfect score in Dive analysis (100%)
- Comprehensive OCI labels - standardized metadata and annotations
- No excess ENTRYPOINT - no unnecessary wrapper scripts or bloat
- Built-in HEALTHCHECK - configuration validation every 30s with 3s timeout
Found an issue or have an improvement?
Note: This image is designed for security-conscious production environments. For development purposes, consider using the official FreeNGINX image with full debugging capabilities.
This project is open source and maintained with ❤️ by ammnt.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}