Forked from macbre/nginx-http3
Stable and up-to-date nginx with QUIC + HTTP/3 experimental support, Google's brotli compression and Grade A+ SSL config
nginx binary is built from quic experimental branch. It's not production-ready yet!
As this project is based on the official nginx image look for instructions there. In addition to the standard configuration directives, you'll be able to use the brotli module specific ones, see here for official documentation
docker pull vickeyrao/docker-nginx-quic:latest
- built-in nginx modules
headers-more-nginx-module- sets and clears HTTP request and response headersngx_brotli- adds brotli response compressionngx_http_geoip2_module- creates variables with values from the maxmind geoip2 databases based on the client IPOpenSSL with QUIC APIs- a fork of OpenSSL to enable QUIC
$ docker run -it vickeyrao/nginx-http3 nginx -V
nginx version: nginx/1.25.1 (quic-f8134640e861-quictls-be9e773e8926fc76166a45cfe5a19362372db90c)
built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r10)
built with OpenSSL 3.1.0+quic 14 Mar 2023
TLS SNI support enabled
configure arguments:
--build=quic-f8134640e861-quictls-be9e773e8926fc76166a45cfe5a19362372db90c
--prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp
--user=nginx
--group=nginx
--with-http_ssl_module
--with-http_realip_module
--with-http_addition_module
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_stub_status_module
--with-http_auth_request_module
--with-http_xslt_module=dynamic
--with-http_image_filter_module=dynamic
--with-http_geoip_module=dynamic
--with-http_perl_module=dynamic
--with-threads
--with-stream
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-stream_realip_module
--with-stream_geoip_module=dynamic
--with-http_slice_module
--with-mail
--with-mail_ssl_module
--with-compat
--with-file-aio
--with-http_v2_module
--with-http_v3_module
--add-module=/usr/src/ngx_brotli
--add-module=/usr/src/headers-more-nginx-module-0.34
--add-dynamic-module=/ngx_http_geoip2_module
--with-cc-opt='-I /usr/local/include'
--with-ld-opt='-L /usr/local/lib64'
Please refer to Mozilla's SSL Configuration Generator. This image has https://ssl-config.mozilla.org/ffdhe2048.txt DH parameters for DHE ciphers fetched and stored in /etc/ssl/dhparam.pem:
ssl_dhparam /etc/ssl/dhparam.pem;
See ssllabs.com test results for wbc.macbre.net.
.conffiles mounted in/etc/nginx/main.dwill be included in themainnginx context (e.g. you can callenvdirective there).conffiles mounted in/etc/nginx/conf.dwill be included in thehttpnginx context
Please refer to tests/https.conf config file for an example config used by the tests. And to Cloudflare docs on how to enable http/3 support in your browser.
server {
# http/3
listen 443 quic reuseport;
# http/2 and http/1.1
listen 443 ssl;
http2 on;
server_name localhost; # customize to match your domain
# you need to mount these files when running this container
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
# Enable all TLS versions (TLSv1.3 is required for QUIC).
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# 0-RTT QUIC connection resumption
ssl_early_data on;
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3=":443"; ma=86400';
location / {
# your config
}
}
Refer to run-docker.sh script on how to run this container and properly mount required config files and assets.