add http3 support to nginx image, enable it for static files

paskal · Dec 30, 2023 · 30febe5 · 30febe5
1 parent 969766c
commit 30febe5
Show file tree

Hide file tree

Showing 11 changed files with 45 additions and 23 deletions.
diff --git a/config/nginx/Dockerfile b/config/nginx/Dockerfile
@@ -1,19 +1,25 @@
-FROM alpine:edge
+FROM macbre/nginx-http3
 
 LABEL org.opencontainers.image.authors="Dmitry Verkhoturov <paskal.07@gmail.com>" \
       org.opencontainers.image.description="nginx with brotli installed and running as non-root user, with reload for cert renewal once in six hours" \
       org.opencontainers.image.documentation="https://github.com/paskal/bitrix.infra" \
       org.opencontainers.image.source="https://github.com/paskal/bitrix.infra.git" \
       org.opencontainers.image.title="nginx"
 
+USER root
+
 # for shadow package
 RUN echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories
 
 # shadow for usermod
-RUN apk add --no-cache nginx-mod-http-brotli shadow
+RUN apk add --no-cache shadow
 
 RUN usermod -u 1000 nginx
 RUN groupmod -g 1000 nginx
 
+# prepare to switching to non-root - update file permissions of directory containing
+# nginx.lock and nginx.pid file
+RUN chown -R --verbose nginx:nginx /var/run/nginx/ /var/cache/nginx/
+
 # run nginx with configuration reload once in every 6 hours
 CMD /bin/sh -c 'while :; do /bin/sleep 6h & wait ${!}; /usr/sbin/nginx -s reload; done & /usr/sbin/nginx -g "daemon off;"'
diff --git a/config/nginx/conf.d/adminer.conf b/config/nginx/conf.d/adminer.conf
@@ -1,5 +1,11 @@
 server {
-    listen 443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
+    add_header alt-svc 'h3=":443"; ma=86400';
+    ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
+    ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
+    ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;
+
     server_name  adminer.favor-group.ru;
     # Dmitry Verkhoturov and Eugene Donich external address
     allow 79.139.0.0/16;

diff --git a/config/nginx/conf.d/cdn.conf b/config/nginx/conf.d/cdn.conf
@@ -5,7 +5,8 @@ map $http_origin $allow_origin {
 }
 
 server {
-    listen 443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name static.cdn-favor-group.ru;
 
@@ -16,7 +17,8 @@ server {
 }
 
 server {
-    listen 443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name dev.cdn-favor-group.ru;
 

diff --git a/config/nginx/conf.d/dev-test.conf b/config/nginx/conf.d/dev-test.conf
@@ -1,5 +1,6 @@
 server {
-    listen  443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name dev-test.favor-group.ru;
 

diff --git a/config/nginx/conf.d/dev.conf b/config/nginx/conf.d/dev.conf
@@ -1,5 +1,6 @@
 server {
-    listen  443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name dev.favor-group.ru;
 

diff --git a/config/nginx/conf.d/hooks.conf b/config/nginx/conf.d/hooks.conf
@@ -1,5 +1,7 @@
 server {
-    listen 443 http2 ssl;
+    listen 443 ssl;
+    listen 443 quic;
+
     server_name  hooks.favor-group.ru;
     location / {
         proxy_read_timeout 600;

diff --git a/config/nginx/conf.d/prod.conf b/config/nginx/conf.d/prod.conf
@@ -1,7 +1,6 @@
 server {
-    listen 443 http2 reuseport ssl;
-    #listen 443 quic reuseport;
-    #add_header Alt-Svc 'h3=":443"; ma=86400';
+    listen 443 reuseport ssl;
+    listen 443 quic reuseport;
 
     server_name favor-group.ru;
 
@@ -21,9 +20,8 @@ server {
 }
 
 server {
-    listen 443 http2 ssl;
-    #listen 443 quic reuseport;
-    #add_header Alt-Svc 'h3=":443"; ma=86400';
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name spb.favor-group.ru;
 
@@ -43,9 +41,8 @@ server {
 }
 
 server {
-    listen 443 http2 ssl;
-    #listen 443 quic reuseport;
-    #add_header Alt-Svc 'h3=":443"; ma=86400';
+    listen 443 ssl;
+    listen 443 quic;
 
     server_name tula.favor-group.ru;
 

diff --git a/config/nginx/conf.d/redirects.conf b/config/nginx/conf.d/redirects.conf
@@ -1,6 +1,6 @@
 # https www is a special case
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
     server_name  www.favor-group.ru;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
@@ -25,7 +25,7 @@ server {
 }
 
 server {
-    listen 443 default_server ssl http2;
+    listen 443 default_server ssl;
     ssl_certificate      /etc/nginx/letsencrypt/live/favor-group.ru/fullchain.pem;
     ssl_certificate_key  /etc/nginx/letsencrypt/live/favor-group.ru/privkey.pem;
     ssl_trusted_certificate /etc/nginx/letsencrypt/live/favor-group.ru/chain.pem;

diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf
@@ -4,8 +4,8 @@ worker_processes auto;
 error_log  /var/log/nginx/other.error.log warn;
 pid        /var/run/nginx.pid;
 
-load_module modules/ngx_http_brotli_filter_module.so;
-load_module modules/ngx_http_brotli_static_module.so;
+#load_module modules/ngx_http_brotli_filter_module.so;
+#load_module modules/ngx_http_brotli_static_module.so;
 
 events {
     worker_connections  8192;
@@ -70,7 +70,8 @@ http {
     map_hash_bucket_size            512;
     # increase concurrency performance
     keepalive_requests              1000;
-    http2_push_preload              on;
+    http2                           on;
+    ssl_early_data                  on;
 
     map $remote_addr $not_logging {
         default 1;
@@ -99,7 +100,7 @@ http {
     ssl_dhparam /etc/nginx/letsencrypt/dhparams.pem;
 
     # intermediate configuration
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers on;
 
@@ -110,6 +111,8 @@ http {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload' always;
+    # http3
+    #add_header alt-svc 'h3=":443"; ma=86400';
 
     # Reverse CloudFlare proxy
     # DO NOT use CloudFlare in Russia, Yandex will ban you!

diff --git a/config/nginx/security_headers.conf b/config/nginx/security_headers.conf
@@ -15,3 +15,6 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; prelo
 
 # for the sake of better benchmark score
 add_header Referrer-Policy same-origin;
+
+# http3
+#add_header alt-svc 'h3=":443"; ma=86400';
diff --git a/config/nginx/static-cdn.conf b/config/nginx/static-cdn.conf
@@ -19,6 +19,7 @@ location ~* ^.+\.(xml|txt|jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|map|js|json|
     expires max;
     add_header Cache-Control public;
     add_header Access-Control-Allow-Origin $allow_origin;
+    add_header alt-svc 'h3=":443"; ma=86400';
     include security_headers.conf;
     valid_referers none blocked favor-group.ru *.favor-group.ru *.cdn-favor-group.ru;
     if ($invalid_referer) {