🚀 Distroless FreeNGINX: Hardened & Optimized image

Production-ready, security-focused FreeNGINX image with HTTP/3, QUIC and PQC support.

Important

QuicTLS is now deprecated. I use OpenSSL, since this library natively supports OCSP, PQC and QUIC⚠️

Important

NJS module has been removed due to security vulnerabilities in libxml2/libxslt dependencies⚠️

Tip

You can find an example configuration file in the repository for successfully configuring HTTP/3 and PQC💡

🌐 Image Variants

Docker Hub:

ammnt/freenginx:latest

GitHub Container Registry:

ghcr.io/ammnt/freenginx:latest

📦 Quick Start

Docker Run

docker run -d \
  --name freenginx \
  -p 80:8080 \
  -p 443:8443 \
  ammnt/freenginx:latest

🔧 Advanced Configuration

🎯 Recommended to use in Rootless mode:

https://docs.docker.com/engine/security/rootless/

Docker Compose (Recommended)

services:
  freenginx:
    image: ammnt/freenginx:latest
    user: "101:101"
    read_only: true
    privileged: false
    tmpfs:
     - /tmp:mode=1700,size=1G,noexec,nosuid,nodev,uid=101,gid=101
    cap_drop:
     - all
    container_name: freenginx
    security_opt:
      - no-new-privileges=true
      - apparmor=docker-freenginx
      - seccomp=./freenginx-seccomp.json
    volumes:
      - "./conf:/etc/freenginx:ro"
...

🔥 Why Choose This Image?

Compilation Hardening

• GCC security flags including:
  • -D_FORTIFY_SOURCE=3, -fhardened, -fstack-protector-strong
  • -fstack-clash-protection, -ftrivial-auto-var-init=zero (prevents data leaks)
  • -fcf-protection=full (Control-Flow Integrity)
• Read-Only Relocations (-Wl,-z,relro,-z,now)
• Stack execution protection and buffer overflow guards

Runtime Security

• Rootless by design (USER freenginx)
• Distroless base - built from scratch with zero bloat
• Minimal attack surface - no shell, no package manager and no unnecessary modules
• Server header removal - anonymous signature ("security through obscurity")
• Native HTTP/3 support - OpenSSL and QUIC without patches or experimental implementations
• Native PQC support - hybrid post-quantum key exchange algorithms in elliptic curves
• Native TLS 1.3 with 0-RTT

Supply Chain Integrity

• Signed images - signatures and SLSA provenance attestation.
• Comprehensive scanning - by security tools (Docker Scout, Trivy, Snyk, Grype, Dockle, Syft, Dive)
• SBOM generation with Syft

🚀 Ultimate Optimization

Size Optimization

• Multi-stage build with Alpine builder + scratch final image
• Static compilation - static binary with minimal dependencies
• Mint tool integration - slimmed version of the image
• UPX runtime efficiency - minimal memory overhead with fast decompression
• Binary stripping and LTO optimization

Performance Features

• zlib-ng with modern compression algorithms
• PCRE2 with JIT compilation for regex performance
• Thread pool support for async I/O operations
• TCP Fast Open and SSL session resumption
• Graceful shutdown - SIGQUIT handling for proper connection draining
• Brotli compression support

Quality Metrics

• ChaCha20 prioritization - custom patch for modern cipher preference
• Image efficiency - perfect score in Dive analysis (100%)
• Comprehensive OCI labels - standardized metadata and annotations
• No excess ENTRYPOINT - no unnecessary wrapper scripts or bloat
• HEALTHCHECK - added in the Dockerfile

🤝 Contributing & Support

Found an issue or have an improvement?

• Open an Issue
• Feature Request

Note: This image is designed for security-conscious production environments. For development purposes, consider using the official FreeNGINX image with full debugging capabilities.

📄 License

This project is open source and maintained with ❤️ by ammnt.