├── .env.example ├── .github └── workflows │ └── ci.yaml ├── .gitignore ├── README.md ├── alpine ├── Dockerfile ├── docker-compose.test.yml ├── hooks │ ├── build │ ├── push │ └── test ├── index.html ├── nginx.conf └── nginx.vh.default.conf ├── buster ├── Dockerfile ├── docker-compose.test.yml ├── index.html ├── nginx.conf └── nginx.vh.default.conf ├── conf.d ├── http3-quic.conf └── ssl │ ├── root-ca.crt │ ├── t.khs1994.com.crt │ └── t.khs1994.com.key └── docker-compose.yml /.env.example: -------------------------------------------------------------------------------- 1 | NGINX_VERSION=1.27.0 2 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | tags: 6 | - "*" 7 | workflow_dispatch: 8 | 9 | jobs: 10 | ci: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@main 14 | with: 15 | fetch-depth: 2 16 | - uses: docker-practice/actions-setup-docker@master 17 | - uses: azure/docker-login@v1 18 | with: 19 | username: ${{ secrets.DOCKER_USERNAME }} 20 | password: ${{ secrets.DOCKER_PASSWORD }} 21 | - uses: azure/docker-login@v1 22 | with: 23 | login-server: ghcr.io 24 | username: khs1994 25 | password: ${{ secrets.GHCR_IO_TOKEN }} 26 | - run: | 27 | export GITHUB_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) 28 | 29 | # DOCKER_PUSH="--load" 30 | DOCKER_PUSH="--push" 31 | DOCKER_LATEST_TAG="dev" 32 | 33 | if ! [ "$GITHUB_EVENT_NAME" = 'workflow_dispatch' ];then 34 | DOCKER_IMAGES="-t ${DOCKER_IMAGE}:${GITHUB_TAG}-alpine \ 35 | -t ${REGISTRY_MIRROR}/${DOCKER_IMAGE}:${GITHUB_TAG}-alpine \ 36 | -t ${DOCKER_IMAGE}:alpine \ 37 | -t ${REGISTRY_MIRROR}/${DOCKER_IMAGE}:alpine \ 38 | " 39 | DOCKER_PUSH="--push" 40 | DOCKER_LATEST_TAG="latest" 41 | fi 42 | 43 | docker buildx build \ 44 | -t ${DOCKER_IMAGE}:${DOCKER_LATEST_TAG} \ 45 | -t ${REGISTRY_MIRROR}/${DOCKER_IMAGE}:${DOCKER_LATEST_TAG} \ 46 | ${DOCKER_IMAGES} \ 47 | ${DOCKER_PUSH} \ 48 | --cache-from=ghcr.io/${DOCKER_IMAGE}:cache \ 49 | --cache-to=ghcr.io/${DOCKER_IMAGE}:cache \ 50 | alpine 51 | env: 52 | REGISTRY_MIRROR: ghcr.io 53 | GITHUB_EVENT_NAME: ${{github.event_name}} 54 | DOCKER_IMAGE: khs1994/nginx 55 | name: Build docker image 56 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .env 3 | *.gz 4 | nginx 5 | nginx-* 6 | openssl 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nginx With HTTP3 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/khs1994-docker/nginx.svg?style=social&label=Stars)](https://github.com/khs1994-docker/nginx) [![GitHub release](https://img.shields.io/github/release/khs1994-docker/nginx.svg)](https://github.com/khs1994-docker/nginx/releases) [![Docker Stars](https://img.shields.io/docker/stars/khs1994/nginx.svg)](https://hub.docker.com/r/khs1994/nginx/) [![Docker Pulls](https://img.shields.io/docker/pulls/khs1994/nginx.svg)](https://hub.docker.com/r/khs1994/nginx/) 4 | 5 | * https://blog.khs1994.com/linux/ssl/https/README.html 6 | 7 | * https://github.com/khs1994-docker/lnmp/issues/137 8 | * https://github.com/khs1994-docker/lnmp/issues/895 9 | 10 | ## 注意 11 | 12 | * 只有一个 `server {}` 能启用 HTTP3,多个 `server {}` 启用 HTTP3 会提示冲突。 13 | 14 | ## 测试浏览器是否支持 HTTP3 15 | 16 | * https://quic.tech:8443 17 | 18 | **chrome 85+** 19 | 20 | ```bash 21 | --enable-quic --quic-version=h3-29 --origin-to-force-quic-on=example.com:443 22 | ``` 23 | 24 | **firefox 80+** 25 | 26 | `about:config` -> `network.http.http3.enabled = true` 27 | 28 | ## 草案 29 | 30 | * https://datatracker.ietf.org/doc/draft-ietf-quic-transport/history/ 31 | 32 | ## `Docker Compose` 33 | 34 | ```yaml 35 | version: "3" 36 | 37 | services: 38 | nginx: 39 | image: "khs1994/nginx:1.27.0-alpine" 40 | ports: 41 | - "80:80" 42 | - "443:443/tcp" 43 | - "443:443/udp" 44 | environment: 45 | - TZ=Asia/Shanghai 46 | volumes: 47 | - ./conf.d:/etc/nginx/conf.d:ro 48 | ``` 49 | 50 | ## `$ docker run` 51 | 52 | ```bash 53 | $ docker run -dit \ 54 | -e TZ=Asia/Shanghai \ 55 | -p 80:80/tcp \ 56 | -p 443:443/tcp \ 57 | -p 443:443/udp \ 58 | -v $PWD/app:/app \ 59 | -v $PWD/conf.d:/etc/nginx/conf.d \ 60 | khs1994/nginx:1.27.0-alpine 61 | ``` 62 | 63 | # Who use it? 64 | 65 | [khs1994-docker/lnmp](https://github.com/khs1994-docker/lnmp) use this Docker Image. 66 | 67 | # Compare 68 | 69 | ```bash 70 | $ docker compose up alpine | buster | official 71 | 72 | $ h2load -n 100 -c 10 https://quic.t.khs1994.com 73 | ``` 74 | 75 | ## alpine 76 | 77 | ```bash 78 | finished in 772.28ms, 129.49 req/s, 22.08KB/s 79 | requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout 80 | status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx 81 | traffic: 17.05KB (17463) total, 1.63KB (1673) headers (space savings 90.49%), 13.18KB (13500) data 82 | min max mean sd +/- sd 83 | time for request: 5.84ms 89.32ms 48.74ms 18.40ms 75.00% 84 | time for connect: 53.88ms 399.50ms 201.96ms 122.59ms 70.00% 85 | time to 1st byte: 92.99ms 460.74ms 233.89ms 120.97ms 70.00% 86 | req/s : 12.99 17.08 14.62 1.41 70.00% 87 | ``` 88 | 89 | ## buster 90 | 91 | ```bash 92 | finished in 954.81ms, 104.73 req/s, 17.93KB/s 93 | requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout 94 | status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx 95 | traffic: 17.12KB (17532) total, 1.70KB (1742) headers (space savings 90.10%), 13.18KB (13500) data 96 | min max mean sd +/- sd 97 | time for request: 10.71ms 103.80ms 71.21ms 17.92ms 74.00% 98 | time for connect: 118.40ms 307.03ms 178.26ms 61.53ms 80.00% 99 | time to 1st byte: 163.51ms 396.44ms 232.83ms 73.78ms 80.00% 100 | req/s : 10.59 12.09 11.35 0.57 60.00% 101 | ``` 102 | 103 | ## official 104 | 105 | ```bash 106 | finished in 701.79ms, 142.49 req/s, 36.88KB/s 107 | requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout 108 | status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx 109 | traffic: 25.88KB (26500) total, 10.56KB (10710) headers (space savings 39.15%), 13.18KB (13500) data 110 | min max mean sd +/- sd 111 | time for request: 9.32ms 62.95ms 49.54ms 9.66ms 83.00% 112 | time for connect: 82.70ms 285.17ms 150.81ms 70.20ms 80.00% 113 | time to 1st byte: 123.90ms 318.23ms 194.80ms 70.23ms 70.00% 114 | req/s : 14.26 16.78 15.52 0.96 50.00% 115 | ``` 116 | 117 | # More Infortion 118 | 119 | * [khs1994-docker/lnmp](https://github.com/khs1994-docker/lnmp) 120 | * [Official NGINX Dockerfiles](https://github.com/nginxinc/docker-nginx) 121 | * https://github.com/hakasenyang/openssl-patch 122 | * https://www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3/ 123 | * https://quic.nginx.org/README 124 | * https://hg.nginx.org/nginx-quic 125 | * https://asnokaze.hatenablog.com/entry/2020/06/11/133357 126 | * https://www.grottedubarbu.fr/nginx-quic-http3/ 127 | * https://jiyiren.github.io/2020/06/17/quic-explain-build/ 128 | -------------------------------------------------------------------------------- /alpine/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:labs 2 | FROM alpine:3.16 as boringssl-builder 3 | 4 | ARG ALPINE_URL=dl-cdn.alpinelinux.org 5 | 6 | ARG OPENSSL_BRANCH=OpenSSL_1_1_1a 7 | 8 | ARG OPENSSL_URL=https://github.com/google/boringssl 9 | 10 | RUN set -x \ 11 | && sed -i "s/dl-cdn.alpinelinux.org/${ALPINE_URL}/g" /etc/apk/repositories \ 12 | && apk add --no-cache --virtual .build-deps \ 13 | git \ 14 | cmake \ 15 | samurai \ 16 | libstdc++ \ 17 | build-base \ 18 | go \ 19 | perl-dev \ 20 | linux-headers \ 21 | libunwind-dev \ 22 | # && curl -fSL https://github.com/google/boringssl/archive/master.tar.gz -o boringssl.tar.gz \ 23 | && git clone --depth=1 -b master ${OPENSSL_URL} /usr/src/boringssl \ 24 | && cd /usr/src/boringssl \ 25 | && mkdir build \ 26 | && cd build \ 27 | && cmake -GNinja .. \ 28 | && ninja \ 29 | && ls -la \ 30 | && ls -la ../include \ 31 | && apk del --no-network .build-deps 32 | 33 | FROM alpine:3.16 34 | 35 | LABEL maintainer="khs1994.com nginx With HTTP3" 36 | 37 | ARG NGINX_VERSION=1.27.0 38 | 39 | ARG ALPINE_URL=dl-cdn.alpinelinux.org 40 | 41 | RUN --mount=type=bind,from=boringssl-builder,source=/usr/src/boringssl,target=/usr/src/boringssl \ 42 | set -x \ 43 | && sed -i "s/dl-cdn.alpinelinux.org/${ALPINE_URL}/g" /etc/apk/repositories \ 44 | && GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ 45 | && CONFIG="\ 46 | --prefix=/etc/nginx \ 47 | --sbin-path=/usr/sbin/nginx \ 48 | --modules-path=/usr/lib/nginx/modules \ 49 | --conf-path=/etc/nginx/nginx.conf \ 50 | --error-log-path=/var/log/nginx/error.log \ 51 | --http-log-path=/var/log/nginx/access.log \ 52 | --pid-path=/var/run/nginx.pid \ 53 | --lock-path=/var/run/nginx.lock \ 54 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 55 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 56 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 57 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 58 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 59 | --user=nginx \ 60 | --group=nginx \ 61 | --with-http_ssl_module \ 62 | --with-http_realip_module \ 63 | --with-http_addition_module \ 64 | --with-http_sub_module \ 65 | --with-http_dav_module \ 66 | --with-http_flv_module \ 67 | --with-http_mp4_module \ 68 | --with-http_gunzip_module \ 69 | --with-http_gzip_static_module \ 70 | --with-http_random_index_module \ 71 | --with-http_secure_link_module \ 72 | --with-http_stub_status_module \ 73 | --with-http_auth_request_module \ 74 | --with-http_xslt_module=dynamic \ 75 | --with-http_image_filter_module=dynamic \ 76 | --with-http_geoip_module=dynamic \ 77 | --with-threads \ 78 | --with-stream \ 79 | --with-stream_ssl_module \ 80 | --with-stream_ssl_preread_module \ 81 | --with-stream_realip_module \ 82 | --with-stream_geoip_module=dynamic \ 83 | --with-http_slice_module \ 84 | --with-mail \ 85 | --with-mail_ssl_module \ 86 | --with-compat \ 87 | --with-file-aio \ 88 | --with-http_v2_module \ 89 | --with-http_v3_module \ 90 | --with-http_quic_module \ 91 | --with-stream_quic_module \ 92 | " \ 93 | && addgroup -S nginx \ 94 | && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ 95 | && apk add --no-cache --virtual .build-deps \ 96 | gcc \ 97 | libc-dev \ 98 | make \ 99 | # openssl-dev \ 100 | pcre-dev \ 101 | zlib-dev \ 102 | linux-headers \ 103 | curl \ 104 | gnupg1 \ 105 | libxslt-dev \ 106 | gd-dev \ 107 | geoip-dev \ 108 | perl-dev \ 109 | && curl -fSL https://hg.nginx.org/nginx-quic/archive/quic.tar.gz -o nginx.tar.gz \ 110 | # && curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o nginx.tar.gz.asc \ 111 | # && export GNUPGHOME="$(mktemp -d)" \ 112 | # && found=''; \ 113 | # for server in \ 114 | # ha.pool.sks-keyservers.net \ 115 | # hkp://keyserver.ubuntu.com:80 \ 116 | # hkp://p80.pool.sks-keyservers.net:80 \ 117 | # pgp.mit.edu \ 118 | # ; do \ 119 | # echo "Fetching GPG key $GPG_KEYS from $server"; \ 120 | # gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \ 121 | # done; \ 122 | # test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \ 123 | # gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ 124 | # && rm -rf "$GNUPGHOME" nginx.tar.gz.asc \ 125 | && mkdir -p /usr/src \ 126 | && tar -zxC /usr/src -f nginx.tar.gz \ 127 | # && tar -zxC /usr/src -f boringssl.tar.gz \ 128 | && rm -rf nginx.tar.gz boringssl.tar.gz \ 129 | && cd /usr/src/nginx-quic-quic \ 130 | && ./auto/configure $CONFIG --with-debug \ 131 | --with-cc-opt="-I../boringssl/include" \ 132 | --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \ 133 | && make -j$(getconf _NPROCESSORS_ONLN) \ 134 | && mv objs/nginx objs/nginx-debug \ 135 | && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ 136 | && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ 137 | && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ 138 | && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ 139 | && ./auto/configure $CONFIG \ 140 | --with-cc-opt="-I../boringssl/include" \ 141 | --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \ 142 | && make -j$(getconf _NPROCESSORS_ONLN) \ 143 | && make install \ 144 | && rm -rf /etc/nginx/html/index.html \ 145 | && mkdir /etc/nginx/conf.d/ \ 146 | # && mkdir -p /usr/share/nginx/html/ \ 147 | && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ 148 | && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ 149 | && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ 150 | && install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \ 151 | && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \ 152 | && ln -s /usr/lib/nginx/modules /etc/nginx/modules \ 153 | && strip /usr/sbin/nginx* \ 154 | && strip /usr/lib/nginx/modules/*.so \ 155 | && rm -rf /usr/src/nginx-quic-quic \ 156 | # Bring in gettext so we can get `envsubst`, then throw 157 | # the rest away. To do this, we need to install `gettext` 158 | # then move `envsubst` out of the way so `gettext` can 159 | # be deleted completely, then move `envsubst` back. 160 | && apk add --no-cache --virtual .gettext gettext \ 161 | && mv /usr/bin/envsubst /tmp/ \ 162 | \ 163 | && runDeps="$( \ 164 | scanelf --needed --nobanner --format '%n#p' /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \ 165 | | tr ',' '\n' \ 166 | | sort -u \ 167 | | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ 168 | )" \ 169 | && apk add --no-cache --virtual .nginx-rundeps $runDeps \ 170 | && apk del --no-network .build-deps \ 171 | && apk del --no-network .gettext \ 172 | && mv /tmp/envsubst /usr/local/bin/ \ 173 | \ 174 | # Bring in tzdata so users could set the timezones through the environment 175 | # variables 176 | && apk add --no-cache tzdata \ 177 | # Bring in curl and ca-certificates to make registering on DNS SD easier 178 | && apk add --no-cache curl ca-certificates \ 179 | \ 180 | # forward request and error logs to docker log collector 181 | && ln -sf /dev/stdout /var/log/nginx/access.log \ 182 | && ln -sf /dev/stderr /var/log/nginx/error.log 183 | 184 | COPY nginx.conf /etc/nginx/nginx.conf 185 | COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf 186 | COPY index.html /etc/nginx/html/ 187 | 188 | EXPOSE 80/tcp 443/tcp 443/udp 189 | 190 | STOPSIGNAL SIGTERM 191 | 192 | CMD ["nginx", "-g", "daemon off;"] 193 | -------------------------------------------------------------------------------- /alpine/docker-compose.test.yml: -------------------------------------------------------------------------------- 1 | sut: 2 | build: . 3 | command: nginx -v 4 | -------------------------------------------------------------------------------- /alpine/hooks/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | export DOCKER_CLI_EXPERIMENTAL=enabled 6 | 7 | docker run --rm --privileged tonistiigi/binfmt:latest --install all 8 | 9 | docker buildx version 10 | 11 | docker buildx create --use --name=mybuilder --driver docker-container 12 | 13 | docker buildx ls 14 | 15 | #PLATFORM="linux/amd64,linux/arm64" 16 | PLATFORM="linux/amd64" 17 | 18 | set +x 19 | 20 | docker buildx build --push -f $DOCKERFILE_PATH -t $IMAGE_NAME --platform $PLATFORM . 21 | -------------------------------------------------------------------------------- /alpine/hooks/push: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "already push by buildx" 4 | -------------------------------------------------------------------------------- /alpine/hooks/test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | docker run -i --rm $IMAGE_NAME nginx -V 6 | -------------------------------------------------------------------------------- /alpine/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Welcome to nginx! 5 | 12 | 13 | 14 |

Welcome to nginx with HTTP3/QUIC!

15 |

If you see this page, the nginx web server is successfully installed and 16 | working. Further configuration is required.

17 | 18 |

For online documentation and support please refer to 19 | nginx.org.
20 | Commercial support is available at 21 | nginx.com.

22 | 23 |

Thank you for using nginx.

24 | 25 | 26 | -------------------------------------------------------------------------------- /alpine/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | user nginx; 3 | worker_processes 1; 4 | 5 | error_log /var/log/nginx/error.log warn; 6 | pid /var/run/nginx.pid; 7 | 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | 14 | http { 15 | include /etc/nginx/mime.types; 16 | default_type application/octet-stream; 17 | 18 | log_format quic '$remote_addr - $remote_user [$time_local] ' 19 | '"$request" $status $body_bytes_sent ' 20 | '"$http_referer" "$http_user_agent" "quic-$quic" "http3-$http3"'; 21 | 22 | access_log /var/log/nginx/access.log quic; 23 | 24 | sendfile on; 25 | #tcp_nopush on; 26 | 27 | keepalive_timeout 65; 28 | 29 | #gzip on; 30 | 31 | include /etc/nginx/conf.d/*.conf; 32 | } 33 | -------------------------------------------------------------------------------- /alpine/nginx.vh.default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name localhost; 4 | 5 | #charset koi8-r; 6 | #access_log /var/log/nginx/host.access.log main; 7 | 8 | location / { 9 | root /etc/nginx/html; 10 | index index.html index.htm; 11 | } 12 | 13 | #error_page 404 /404.html; 14 | 15 | # redirect server error pages to the static page /50x.html 16 | # 17 | error_page 500 502 503 504 /50x.html; 18 | location = /50x.html { 19 | root /etc/nginx/html; 20 | } 21 | 22 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 23 | # 24 | #location ~ \.php$ { 25 | # proxy_pass http://127.0.0.1; 26 | #} 27 | 28 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 29 | # 30 | #location ~ \.php$ { 31 | # root html; 32 | # fastcgi_pass 127.0.0.1:9000; 33 | # fastcgi_index index.php; 34 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 35 | # include fastcgi_params; 36 | #} 37 | 38 | # deny access to .htaccess files, if Apache's document root 39 | # concurs with nginx's one 40 | # 41 | #location ~ /\.ht { 42 | # deny all; 43 | #} 44 | } 45 | -------------------------------------------------------------------------------- /buster/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster-slim 2 | 3 | ARG NGINX_VERSION=1.27.0 4 | 5 | ARG DEB_URL=deb.debian.org 6 | 7 | ARG DEB_SECURITY_URL=security.debian.org/debian-security 8 | 9 | ARG OPENSSL_URL=https://github.com/google/boringssl 10 | 11 | ARG OPENSSL_BRANCH=OpenSSL_1_1_1a 12 | 13 | RUN set -x ; sed -i "s!deb.debian.org!${DEB_URL}!g" /etc/apt/sources.list \ 14 | && sed -i "s!security.debian.org/debian-security!${DEB_SECURITY_URL}!g" /etc/apt/sources.list \ 15 | && apt update \ 16 | && apt install --no-install-recommends --no-install-suggests -y \ 17 | patch \ 18 | curl \ 19 | git \ 20 | ca-certificates \ 21 | gcc \ 22 | make \ 23 | libpcre3 \ 24 | libpcre3-dev \ 25 | zlib1g \ 26 | zlib1g-dev \ 27 | libxslt1.1 \ 28 | libxslt1-dev \ 29 | libgd3 \ 30 | libgd-dev \ 31 | libgeoip1 \ 32 | libgeoip-dev \ 33 | libperl5.24 \ 34 | libperl-dev \ 35 | # gawk \ 36 | && curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \ 37 | && git clone -b $OPENSSL_BRANCH --depth=1 $OPENSSL_URL /srv/openssl \ 38 | && cd /srv/openssl \ 39 | && curl -fsSLO https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-1.1.1a_ciphers.patch \ 40 | && patch -p1 < openssl-equal-1.1.1a_ciphers.patch \ 41 | && cd / \ 42 | && GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \ 43 | && CONFIG="\ 44 | --with-openssl=/srv/openssl \ 45 | --with-openssl-opt='enable-tls1_3' \ 46 | --prefix=/etc/nginx \ 47 | --sbin-path=/usr/sbin/nginx \ 48 | --modules-path=/usr/lib/nginx/modules \ 49 | --conf-path=/etc/nginx/nginx.conf \ 50 | --error-log-path=/var/log/nginx/error.log \ 51 | --http-log-path=/var/log/nginx/access.log \ 52 | --pid-path=/var/run/nginx.pid \ 53 | --lock-path=/var/run/nginx.lock \ 54 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 55 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 56 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 57 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 58 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 59 | --user=nginx \ 60 | --group=nginx \ 61 | --with-http_ssl_module \ 62 | --with-http_realip_module \ 63 | --with-http_addition_module \ 64 | --with-http_sub_module \ 65 | --with-http_dav_module \ 66 | --with-http_flv_module \ 67 | --with-http_mp4_module \ 68 | --with-http_gunzip_module \ 69 | --with-http_gzip_static_module \ 70 | --with-http_random_index_module \ 71 | --with-http_secure_link_module \ 72 | --with-http_stub_status_module \ 73 | --with-http_auth_request_module \ 74 | --with-http_xslt_module=dynamic \ 75 | --with-http_image_filter_module=dynamic \ 76 | --with-http_geoip_module=dynamic \ 77 | --with-threads \ 78 | --with-stream \ 79 | --with-stream_ssl_module \ 80 | --with-stream_ssl_preread_module \ 81 | --with-stream_realip_module \ 82 | --with-stream_geoip_module=dynamic \ 83 | --with-http_slice_module \ 84 | --with-mail \ 85 | --with-mail_ssl_module \ 86 | --with-compat \ 87 | --with-file-aio \ 88 | --with-http_v2_module \ 89 | --with-http_v2_hpack_enc \ 90 | " \ 91 | && mkdir -p /usr/src \ 92 | && tar -zxC /usr/src -f nginx.tar.gz \ 93 | && cd /usr/src/nginx-$NGINX_VERSION \ 94 | && curl -fsSLO https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_hpack_push_1.15.3.patch \ 95 | && patch -p1 < nginx_hpack_push_1.15.3.patch \ 96 | && ./configure $CONFIG --with-debug \ 97 | && make \ 98 | && mv objs/nginx objs/nginx-debug \ 99 | && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ 100 | && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ 101 | && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ 102 | && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ 103 | && ./configure $CONFIG \ 104 | && make \ 105 | && make install \ 106 | && mkdir /etc/nginx/conf.d/ \ 107 | && rm -rf /etc/nginx/html/index.html \ 108 | # && mkdir -p /usr/share/nginx/html/ \ 109 | # && install -m644 html/index.html /usr/share/nginx/html/ \ 110 | # && install -m644 html/50x.html /usr/share/nginx/html/ \ 111 | && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ 112 | && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ 113 | && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ 114 | && install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \ 115 | && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \ 116 | && ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \ 117 | && strip /usr/sbin/nginx* \ 118 | && strip /usr/lib/nginx/modules/*.so 119 | 120 | COPY nginx.conf /etc/nginx/nginx.conf 121 | COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf 122 | 123 | FROM debian:buster-slim 124 | 125 | LABEL maintainer="khs1994.com nginx With HTTP3" 126 | 127 | COPY --from=0 /etc/nginx /etc/nginx 128 | COPY --from=0 /usr/lib/nginx /usr/lib/nginx 129 | COPY --from=0 /usr/sbin/nginx* /usr/sbin/ 130 | COPY index.html /etc/nginx/html/ 131 | 132 | RUN groupadd -r nginx \ 133 | && useradd -r -g nginx -s /bin/false -M nginx \ 134 | && mkdir -p /var/log/nginx \ 135 | && ln -sf /dev/stdout /var/log/nginx/access.log \ 136 | && ln -sf /dev/stderr /var/log/nginx/error.log \ 137 | && mkdir -p /var/cache/nginx 138 | 139 | EXPOSE 80 443/tcp 443/udp 140 | 141 | STOPSIGNAL SIGTERM 142 | 143 | CMD ["nginx", "-g", "daemon off;"] 144 | -------------------------------------------------------------------------------- /buster/docker-compose.test.yml: -------------------------------------------------------------------------------- 1 | sut: 2 | build: . 3 | command: nginx -v 4 | -------------------------------------------------------------------------------- /buster/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Welcome to nginx! 5 | 12 | 13 | 14 |

Welcome to nginx with HTTP3/QUIC!

15 |

If you see this page, the nginx web server is successfully installed and 16 | working. Further configuration is required.

17 | 18 |

For online documentation and support please refer to 19 | nginx.org.
20 | Commercial support is available at 21 | nginx.com.

22 | 23 |

Thank you for using nginx.

24 | 25 | 26 | -------------------------------------------------------------------------------- /buster/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | user nginx; 3 | worker_processes 1; 4 | 5 | error_log /var/log/nginx/error.log warn; 6 | pid /var/run/nginx.pid; 7 | 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | 14 | http { 15 | include /etc/nginx/mime.types; 16 | default_type application/octet-stream; 17 | 18 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 19 | '$status $body_bytes_sent "$http_referer" ' 20 | '"$http_user_agent" "$http_x_forwarded_for" "$quic" "$http3"'; 21 | 22 | access_log /var/log/nginx/access.log main; 23 | 24 | sendfile on; 25 | #tcp_nopush on; 26 | 27 | keepalive_timeout 65; 28 | 29 | #gzip on; 30 | 31 | include /etc/nginx/conf.d/*.conf; 32 | } 33 | -------------------------------------------------------------------------------- /buster/nginx.vh.default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name localhost; 4 | 5 | #charset koi8-r; 6 | #access_log /var/log/nginx/host.access.log main; 7 | 8 | location / { 9 | root /etc/nginx/html; 10 | index index.html index.htm; 11 | } 12 | 13 | #error_page 404 /404.html; 14 | 15 | # redirect server error pages to the static page /50x.html 16 | # 17 | error_page 500 502 503 504 /50x.html; 18 | location = /50x.html { 19 | root /etc/nginx/html; 20 | } 21 | 22 | # proxy the PHP scripts to Apache listening on 127.0.0.1:80 23 | # 24 | #location ~ \.php$ { 25 | # proxy_pass http://127.0.0.1; 26 | #} 27 | 28 | # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 29 | # 30 | #location ~ \.php$ { 31 | # root html; 32 | # fastcgi_pass 127.0.0.1:9000; 33 | # fastcgi_index index.php; 34 | # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; 35 | # include fastcgi_params; 36 | #} 37 | 38 | # deny access to .htaccess files, if Apache's document root 39 | # concurs with nginx's one 40 | # 41 | #location ~ /\.ht { 42 | # deny all; 43 | #} 44 | } 45 | -------------------------------------------------------------------------------- /conf.d/http3-quic.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name www.t.khs1994.com; 4 | return 301 https://$host$request_uri; 5 | } 6 | 7 | server{ 8 | listen 443 ssl; 9 | listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3 10 | server_name quic.t.khs1994.com; 11 | quic_retry on; 12 | root /etc/nginx/html; 13 | index index.html index.htm index.php; 14 | 15 | ssl_certificate conf.d/ssl/t.khs1994.com.crt; 16 | ssl_certificate_key conf.d/ssl/t.khs1994.com.key; 17 | 18 | ssl_session_cache shared:SSL:1m; 19 | ssl_session_timeout 5m; 20 | ssl_protocols TLSv1.3; 21 | # ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 22 | # ssl_ciphers '[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES'; 23 | ssl_prefer_server_ciphers on; 24 | ssl_stapling on; 25 | ssl_stapling_verify on; 26 | 27 | # ssl_ecdh_curve X25519:P-256:P-384; 28 | 29 | # add_header Alt-Svc 'h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400'; 30 | add_header Alt-Svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400'; 31 | add_header QUIC-Status $quic; # Sent when QUIC was used 32 | 33 | # location / { 34 | # try_files $uri $uri/ /index.php?$query_string; 35 | # } 36 | # 37 | # location ~ .*\.php(\/.*)*$ { 38 | # fastcgi_pass php7:9000; 39 | # include fastcgi.conf; 40 | # } 41 | } 42 | 43 | server{ 44 | # listen 443 ssl; 45 | listen 443 ssl; 46 | # http3 只能在一个 server 中配置 47 | # listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3 48 | server_name quic2.t.khs1994.com; 49 | root /etc/nginx/html; 50 | index index.html index.htm index.php; 51 | 52 | ssl_certificate conf.d/ssl/t.khs1994.com.crt; 53 | ssl_certificate_key conf.d/ssl/t.khs1994.com.key; 54 | 55 | ssl_session_cache shared:SSL:1m; 56 | ssl_session_timeout 5m; 57 | ssl_protocols TLSv1.3; 58 | # ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 59 | # ssl_ciphers '[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES'; 60 | ssl_prefer_server_ciphers on; 61 | ssl_stapling on; 62 | ssl_stapling_verify on; 63 | 64 | # ssl_ecdh_curve X25519:P-256:P-384; 65 | 66 | # add_header Alt-Svc 'h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400'; 67 | add_header Alt-Svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400'; 68 | add_header QUIC-Status $quic; # Sent when QUIC was used 69 | 70 | # location / { 71 | # try_files $uri $uri/ /index.php?$query_string; 72 | # } 73 | # 74 | # location ~ .*\.php(\/.*)*$ { 75 | # fastcgi_pass php7:9000; 76 | # include fastcgi.conf; 77 | # } 78 | } 79 | -------------------------------------------------------------------------------- /conf.d/ssl/root-ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFzjCCA7agAwIBAgIJAOigyalJy9fjMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD 3 | VQQGEwJDTjEPMA0GA1UECAwGU2hhbnhpMQ8wDQYDVQQHDAZEYXRvbmcxGTAXBgNV 4 | BAoMEEFBQUEta2hzMTk5NC5jb20xHDAaBgNVBAMME2toczE5OTQuY29tIFJPT1Qg 5 | Q0ExGDAWBgNVBAsMD3d3dy5raHMxOTk0LmNvbTAeFw0xODAxMDkxNDM4MDRaFw0y 6 | ODAxMDcxNDM4MDRaMIGCMQswCQYDVQQGEwJDTjEPMA0GA1UECAwGU2hhbnhpMQ8w 7 | DQYDVQQHDAZEYXRvbmcxGTAXBgNVBAoMEEFBQUEta2hzMTk5NC5jb20xHDAaBgNV 8 | BAMME2toczE5OTQuY29tIFJPT1QgQ0ExGDAWBgNVBAsMD3d3dy5raHMxOTk0LmNv 9 | bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKCEDPzhFlICTFxopOB8 10 | Z1pfaXlSSlIGcupXP0rh+JBgbck0rr3Q6YELpRj6ZFBtAEHgblFvb8MnfudnlD1a 11 | UtSkRED4Dpb+zvh4o1bIq1TJzC6X/Gh6ei7bMziOSYpm6jQHjRlTVMAWjWoslxL7 12 | CPCVO7YrP5HBFckaKSTxjD0Gr8ea8Kkc7wxAN9HC5PIUYyhoq7YUnlE/j8Gbx6Hg 13 | ArzKsb0E4XACHtulUaBLnB45BkCKRfBYP1h6k8OYDZekM1CY7QeRTtfV3fXPepdc 14 | wlRVyo5Z/Y4SQhgmB/NMn28HTGc9pslez9H5jZf01shoxXX4fx9X2ZbkLb+lVEP0 15 | tIexepJ/T3T3o+Do6s4eabaHIE23nh34anbNbIO48a6LhbMm9z1E9wXqY/iF1W0e 16 | 7I1eYxDz/u8O9lb2ikUPMm8Imqga8D6PyLVJmIQJEoCmdHYUd4BY2DNlPnaHRP9J 17 | Qrm35rIrWZLTJudCJfSPume9Ayi1X8hZx8d/O9+MhiWlkH8Zs1retWuCGfUNMaIq 18 | dngBLa8t7Ia+4uvG2nGyptTwyBkLeT/+Kkjp8BE1cMUUsHBKBjEHgTf+kndekuE1 19 | E0wYZZ5k3dBYX2m4udEtoDduNhSE4aOrqwgmkPGXa9YXOSRqomngwE+H6DehXudK 20 | SSJ1rGdX0YojWgljF5xAb8KXAgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEw 21 | DgYDVR0PAQH/BAQDAgFGMB0GA1UdDgQWBBRD0nWMNNyk66DkzBk1eyB4Ad4vkTAN 22 | BgkqhkiG9w0BAQsFAAOCAgEABapOxCoN9aGeWc96wTvev0xL33S91FqWG/Ee7rkM 23 | Yki0D8sDWAWBsi7JC6apdNCDUhnmgGu+UrpoOjugw0JOoOjByjQOO/bwqbDQJoLP 24 | nHiVgsr1Nea2N8PbObqujfuIjC3sV+ntND3ZXSB+u3mcTHaJOSA5cL/GF6cRC72f 25 | xcpNBsT0i4ZXdtPaPLucJR/rr+kkQJCwfpbMC7xh+zP55mdyfmogDH8Y532NUTbu 26 | khg5oD4g6ZPHVRkOQZuYTrsTGK3F1kom3a/617E4WH273dJ57rUDFqu5FxpcbF0g 27 | jacdDq1QJDpYuc34Y+Vz08MPX0LsUBvpvt5RpbT/stmm33+ozXgOOFb6OTwVlMzw 28 | XhmpeQY08WqYXSzwmyGcnEOqEpvr5Gu/L65Otx1hFReUqjNYNz4TpgHTOWtA+H56 29 | MDEgECsFy+SVTAyS/18xSSUDtOAnfPTwD3+bPhGBJ7mTqb9hjGaRvwX8KAeOMMuY 30 | y7YCQjdzXIXPX3S0sV8n4dQP4+U/nhLRnRaGRZJ4pxYOlTPDObQ3APwAEBbhux+l 31 | GujFxLUkqjAjrMV3nCQilcxXgsL2p4C00PQDl8cjpWdENguRyAfPSULjoqrp/kau 32 | 3nLByWdJWE45D/5+NcPkrtKkZb6rqkjAxzaRRssXnZIdwpnNTacB1lsnnTh5Yxb6 33 | 06Q= 34 | -----END CERTIFICATE----- 35 | -------------------------------------------------------------------------------- /conf.d/ssl/t.khs1994.com.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIGPDCCBCSgAwIBAgIJAKRMfSFnpQRfMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD 3 | VQQGEwJDTjEPMA0GA1UECAwGU2hhbnhpMQ8wDQYDVQQHDAZEYXRvbmcxGTAXBgNV 4 | BAoMEEFBQUEta2hzMTk5NC5jb20xHDAaBgNVBAMME2toczE5OTQuY29tIFJPT1Qg 5 | Q0ExGDAWBgNVBAsMD3d3dy5raHMxOTk0LmNvbTAeFw0yMjA2MTEwMzA3MDFaFw0y 6 | NDA2MzAwMzA3MDFaMGExCzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZTaGFueGkxDzAN 7 | BgNVBAcMBkRhdG9uZzEaMBgGA1UECgwRWW91ciBDb21wYW55IE5hbWUxFDASBgNV 8 | BAMMC2toczE5OTQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA 9 | tfWwbsk6B6Z4+Ih5C5SSZLMHM6mqzrhS6UNtJ0bdB2D+ff8NIvOmXmmF0UkJYLKG 10 | EpPrGcH/HIVOfF2hiytNvYKZDtf0ywM1JBWQlXd750dbuTdFL1p/Q7CTObnMQexL 11 | qQ9J3sqzGTqE81YlgsItktQ3EvhNVwHqOCkguQN8wFhN4gPdafOKoHzo3mv7XhcH 12 | KvdYUKWBm9sn7GkoyQMYHlp4mO10pJsuv9psUEsYnsDOBGPedqOH8saPR88Cdiaz 13 | S5fK7/aS42jHWj8j3JSl8NT9GlPWvzqIx4birVm5QrSNOWKN3YTisNekB0J8v910 14 | sD8Fr8WeO7G2oOdHliM3HkY/kKBdlvhmXrChnNZHtIjuJcowhtm2qFXBTzTNhoCG 15 | b37/YclTSw03j2bCaNnHrYC/gZwt1M4QXQSb+W0DmqeLXLgvHFnCioWbvp4yqaKN 16 | HZdMJZLjteSE3u/oXfIaoX3z1sw5ioPXoHk59uSbPH/9kjs6UdaPfeml3+ZIBi62 17 | L8aK7qPH9k9JwmdcwUVXJ8KlXso0aKutIA9D2mvE2FClNBU81XbDEn5GdFhk5g7q 18 | jw4Ji5cwvWgawLZ9rQm3hga8pA/1MpVoJ3ICRbMzDr0heOC/1j/I9PF7hvAdRMY3 19 | eC3NuF5nJEpx4Jg7jgD5cfUzFhLds/QVracoOBZMvJMCAwEAAaOB1DCB0TAfBgNV 20 | HSMEGDAWgBRD0nWMNNyk66DkzBk1eyB4Ad4vkTAMBgNVHRMBAf8EAjAAMBMGA1Ud 21 | JQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUE+CznTbZ 22 | OzAxl+dlUmdPPuarRvwwXAYDVR0RBFUwU4ILa2hzMTk5NC5jb22CDSoua2hzMTk5 23 | NC5jb22CDXQua2hzMTk5NC5jb22CDyoudC5raHMxOTk0LmNvbYcEwKjHZIcEfwAA 24 | AYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4ICAQAtcEcr2LCDHOhQyYwf/s1e 25 | VhRJIXI33luWl/7XyBscbPqY6xuLIt1lmobBO+oKh/Q4a/MYJb3s+KHgi91k70C1 26 | glGpj5tjDQcdA6vsXM1h+HFisTR6CORghWJWrEKzzOHF1RqH81QEssOkMU9xJZaY 27 | aGzvwq62AzFNPL3qYcWonWhdLIArFNdJbQFRH/V4N8qvuDe2RVY+Gyb1rRY34W2i 28 | fYkx50lNDG15tNmZUleukKpYEjkEeQY0Vih7fm7ZaXzqiWb/1b9Qy7+NMwk18isb 29 | +GXvmJlz+rBuCtUWngVHe3muSO1/olnqRif37Y2OjBQjbggkFUkm3wTVC1Hotqlz 30 | VwJLnAOxS66CNHDB7165j/Age/Tv0RZO/EYuzvO0OeteZfNTbS8L+eHkeBktndtf 31 | I/C2fmJlbIlAx7VTdAkJt/e3guUzzC58sgXb0g6/2PmKqRtD+df1pb1SVZkwMVd/ 32 | FEeD1X1lbWJhYrE9FH23PodvbZVDL08rjBJhLJ+M6zGxFJmkuHp1V6/E/9Q2ozCn 33 | iSN32Mp7W2sQc8DXpCY4c8JQ2tfzLA2K8x7NYGFp42jRpVMQzOFgtAgH+jA5ZnFD 34 | 6l373Sq27bHREpDKaD+knXBtAunYT0dnu3PRDW4T9x/9A1P7adBQV+8q5VdZCEV2 35 | 9/E3Fhdn00MwupRZZ3dMhg== 36 | -----END CERTIFICATE----- 37 | -------------------------------------------------------------------------------- /conf.d/ssl/t.khs1994.com.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKQIBAAKCAgEAtfWwbsk6B6Z4+Ih5C5SSZLMHM6mqzrhS6UNtJ0bdB2D+ff8N 3 | IvOmXmmF0UkJYLKGEpPrGcH/HIVOfF2hiytNvYKZDtf0ywM1JBWQlXd750dbuTdF 4 | L1p/Q7CTObnMQexLqQ9J3sqzGTqE81YlgsItktQ3EvhNVwHqOCkguQN8wFhN4gPd 5 | afOKoHzo3mv7XhcHKvdYUKWBm9sn7GkoyQMYHlp4mO10pJsuv9psUEsYnsDOBGPe 6 | dqOH8saPR88CdiazS5fK7/aS42jHWj8j3JSl8NT9GlPWvzqIx4birVm5QrSNOWKN 7 | 3YTisNekB0J8v910sD8Fr8WeO7G2oOdHliM3HkY/kKBdlvhmXrChnNZHtIjuJcow 8 | htm2qFXBTzTNhoCGb37/YclTSw03j2bCaNnHrYC/gZwt1M4QXQSb+W0DmqeLXLgv 9 | HFnCioWbvp4yqaKNHZdMJZLjteSE3u/oXfIaoX3z1sw5ioPXoHk59uSbPH/9kjs6 10 | UdaPfeml3+ZIBi62L8aK7qPH9k9JwmdcwUVXJ8KlXso0aKutIA9D2mvE2FClNBU8 11 | 1XbDEn5GdFhk5g7qjw4Ji5cwvWgawLZ9rQm3hga8pA/1MpVoJ3ICRbMzDr0heOC/ 12 | 1j/I9PF7hvAdRMY3eC3NuF5nJEpx4Jg7jgD5cfUzFhLds/QVracoOBZMvJMCAwEA 13 | AQKCAgEAsoq7blmA2VTdynCO5XAJHUoVvPm0olZ29G+2wR1lcAIadSM4jp0pF+bO 14 | 6YaS7xD9QWlm/MVAP4oGcz2kb1w0Ucm9ybTZfAJPuHJ4hlDRgSShueGjv007Jv4x 15 | 2CiZZe4oZ2CbCUM37X9gSSy0bdN+yF33FGQT71Xvrt+cPi5P0KRU93r3XSkdU1B9 16 | ZxHpem96FwzQ2YEs5fNq/yxIWsTwe4gmYVhOZd3nR1VZhofJRqzE+cXM2fioQu3W 17 | VY2oSqq6r2foNwFpLD75rXHbDGvHT8KN/7FYPBeBctbFwXcSs4NaN36e2Ue07/UH 18 | /B+fLNxtzSppuAletBAytTt7ILS5NRIBu3opJe6omkvCL4twsy2M8yTvu+2ADPSq 19 | H/49EM0JvdESXy2G2/F5eFaU3VDvRvgVqa2RIfB2N93cu0tlBS0Vwfdv2KJSd30z 20 | +Lz0obfO6D/rMEpg+nPS8F5p7Q2INii5k8e+/WfDXDF46uID9qfBAOEb+v76++jT 21 | PR3GybrGUrGSIAhaYXKQrV7YNdfwB0WZUlzkBRDJg5sl+/mgjoqq+LAztjDIKdSO 22 | WQvhqCWOQBJC06LlJHPvnzdVE6Xlwe5yumwoxB1ejx5MqqLvB7uW6DAJ2V4mTs1m 23 | n/qHnh8d8mVFYylhc8lVRpn0jJays+c+i78VBhaR5jOuLZbFaPECggEBANn5+JIE 24 | uWQyfdsz/QIVTw5ePApsuT53sUHgUd8TFRq41l67t3PsCJ0ez64RbUUSdLSD2Fmy 25 | mTSXog8hLupRpsIADHSE0ZXykhMMRfmkOXJmkR1u5AMwtAsKnKabWol0AWA11ptP 26 | v/b/GmpIE5EnFX6pYF5PSWs5uD2FJCSmlhBF3N6POWGUn2WoB4Y67IUmWW5o0x89 27 | Dz3Nc0uIrNZYrjoz3TdnCr7EUIG5gKmbdiX/fGDKL186IpvYiQRoceYhSfIfFcAd 28 | LAR5RukljAeo0FyZjkKx6Ezxf0ncpQCa6aPmvbZw8ALKStMkuy9eMBZQ7LFlwu3r 29 | AYkIJFG3zR3ogfUCggEBANWzV+Ifwx9HkHbrDSnj4Z7Fw8uFaPZzMZArFKlxnGxs 30 | 34nCWL+DCnLAFei+qWgWPQcyVKrPsehPXeQ9XDKMj6vjXEAPJ01BPNmKzkkdufg1 31 | In/amJIvsBG/OXN/dlVeuPQkY6FdUHNxth8KG1Wfu7osqUiVeTpimm6Px1pVOGk3 32 | jrFYXt6mnwEQL6apUQcn5lPqaRKIkzzRZcX6YiRWStSJKfr/gsXS2GN3P85OK5+c 33 | dVS9NPmwnzRaSCpCWO2+H+kPoYlTAzSm0dVeiGtN8f7sTSiRaEB4xcLMB3iz7q6A 34 | NRM988uMC48y52OlIzVWCFWaZ38bG2fkXLuQuOnvx2cCggEAXciMJx77ON30gmyC 35 | zfOnGPJ4eK/An9zVmhdOgmDucpnWOdogGzMRnbBVAHqk/dPr/ILBgg4ylosrAcFw 36 | MwbAbbWhpjxDBHXiXWmpbbg3sz3n77b3SVwaCqodLh2nPX543REs7ZPJbxbhIZsz 37 | N/+N4voy6UDJwOWLnIR9QXufEw9L8UHEGXTdg9pgqmMNwlf2oGdfdpBJz3hmw7fh 38 | TTPIemg4JI8j82H5lWbfsZmeosiile5HpXwYyd7HTOs3HiFydEblj8u9VYtsdAFg 39 | lycNxtmWeKGc5gX9kyTopTMBlTBArY835KtuuBuUodOvctqMi+LRlJXJClFDdxlS 40 | miygRQKCAQBfenaciDZkplPMXe6OtcsbZh65ssyXuBX/5M+heSo7Y1VotlVyk3i6 41 | lknzqCQGZlE0Au/DNXK2aad4j1W/HAAg+z8/O8YChVBLnfHWxxpM5GiamS8ruXTA 42 | KSDhEqTrNZwLMKr28Ls+KSMGsTxPQEPexY+I54e3Z1C6bzDRklvW3sS5RdN1RRqr 43 | nfC8VM/oE5KcEZKKfkzSkngXQWxR8eATH4mLJFfoTPDzV9dBNLnW4U+m4bZmjNxE 44 | xsWRY/1Zk2Wsephgw58eCh6cZ1UqJDQoAqniozzh+VPaWdBIxJOykYOlKjvfyJ1t 45 | iH/LjH+zl9G3dXoiVxkijOxFvT5w/vmnAoIBAQDPs9Ea3XVaCbGHZT9U7GsfX3sP 46 | fs7IxelDdSeFVmtZ7ntdXA2gUH1Q4bXUuRXoKiruXqt/bIgUwBRuKCtktKe3AQCY 47 | kz5fysoZqY6BI4Ub0p7LwDEt9VEDdZN/GbxrjVpSSk3iTVR43LG2KvEI6F0WBHV4 48 | 4dWyA5nmRp4ppadCN9pv6rldjPkn7luIE128ClS/PW2+PpB9fAZRJQzxtrpHn5n9 49 | 6GKSPdnxzcgfoQJhJ5K6IXRzgoZTEFbRZCsushyZpgLHHyGxj6qKdq6lzSX95FJw 50 | ja0fLGx64jlW49fXdmJbZKqwIIJ8Pjfqfo9MUkuxvHqNq4OiLQS+lwyQhlSa 51 | -----END RSA PRIVATE KEY----- 52 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | 2 | services: 3 | 4 | alpine: 5 | build: 6 | context: ./alpine 7 | args: 8 | # OPENSSL_BRANCH: master 9 | NGINX_VERSION: ${NGINX_VERSION:-1.27.0} 10 | ALPINE_URL: mirrors.aliyun.com # dl-cdn.alpinelinux.org 11 | OPENSSL_URL: https://github.com.cnpmjs.org/google/boringssl 12 | image: khs1994/nginx:${NGINX_VERSION:-1.27.0}-alpine 13 | ports: 14 | - 443:443/tcp 15 | - 443:443/udp 16 | - 80:80 17 | volumes: 18 | - ./alpine/nginx.conf:/etc/nginx/nginx.conf 19 | - ./conf.d:/etc/nginx/conf.d:ro 20 | 21 | buster: 22 | build: 23 | context: ./buster 24 | args: 25 | # OPENSSL_BRANCH: master 26 | NGINX_VERSION: ${NGINX_VERSION:-1.27.0} 27 | OPENSSL_URL: https://github.com.cnpmjs.org/google/boringssl 28 | DEB_URL: mirrors.ustc.edu.cn # deb.debian.org 29 | DEB_SECURITY_URL: mirrors.ustc.edu.cn/debian-security # security.debian.org/debian-security 30 | image: khs1994/nginx:${NGINX_VERSION:-1.27.0}-buster 31 | ports: 32 | - 443:443/tcp 33 | - 443:443/udp 34 | - 80:80 35 | volumes: 36 | - ./conf.d:/etc/nginx/conf.d:ro 37 | 38 | official: 39 | image: nginx:1.27.0-alpine 40 | ports: 41 | - 443:443 42 | - 80:80 43 | volumes: 44 | - ./conf.d:/etc/nginx/conf.d:ro 45 | --------------------------------------------------------------------------------