This project forked from fholzer/docker-nginx-brotli
Stable and up-to-date root-less nginx with quic + http/3, google brotli compression, njs, GeoIP2, and Grade A+ SSL config
Home Page: https://hub.docker.com/r/macbre/nginx-http3
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Hi,
The current dockerfile has:
EXPOSE 8080 8443
This makes it super annoying to get the image working properly.
Please just change it to a normal port 80 and 443.
I just spend a couple hours debugging this because i kept getting connection refused while my ports were set properly.
Didn't try it but i probably should have used your "8080" and "8443" in the conf files as well to make it all work.
Just change it, please.
Cheers,
Mark
webserver | 2021/02/16 17:14:39 [alert] 1#1: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
webserver | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
It seems that nginx will not run as root, so can I set uid and gid for the internal user? for example like linuxserver passing env variables PGID and PUID? Really need this😭
I'm having trouble to get Firefox to connect to nginx over http3.
I'm using Windows10 (22H2) with Firefox (118) and Chrome (118), as well as macOS (11.7) with Firefox (115) and Chrome (118) for testing. All browser pass the QUIC HTTP3 Test while also showing HTTP3 (Firefox) or h3 (Chrome) under protocol using dev tools. They also connect correctly to @macbre's suggap.com.
However, I can't get Firefox to connect to my server. I'm using the nginx.conf and https.conf as given. Only changes are port numbers, servername and the path to the certificate. I tried different alt-svc headers to no avail:
add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
add_header alt-svc 'h3=":443"; ma=5, h3-27=":443"; ma=5, h3-28=":443"; ma=5,h3-29=":443"; ma=5,h3-Q050=":443"; ma=5,h3-Q046=":443"; ma=5,h3-Q043=":443"; ma=5,quic=":443"; ma=5; v="46,43"';
add_header alt-svc 'h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-T051=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="46,43"';
add_header alt-svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"';
| OS | Browser | Connection |
|---|---|---|
| Windows | Firefox 118 | HTTP2 |
| Windows | Chrome 118 | h3 |
| macOS | Firefox 115 | HTTP2 |
| macOS | Chrome 118 | h3 |
| Test | Result |
|---|---|
| Domsignal HTTP3 Test | HTTP/3 enabled. |
| ymuski/curl-http3 | HTTP/3 |
add_header alt-svc 'h3=":443"; ma=86400';
This is the same header https://quic.nginx.org/ uses, so I would have expected it to work. However it fails the Domsignal test. The browser results are the same as above.
| Test | Result |
|---|---|
| Domsignal HTTP3 Test | Couldn't connect over HTTP/3 |
| ymuski/curl-http3 | HTTP/3 |
I have no idea where to even start troubleshooting, so any help is appreciated.
Hey. Using this with docker:
nginx:
container_name: wokalek-nginx
image: macbre/nginx-http3:1.25.1
user: root
restart: always
depends_on:
- nuxt
ports:
- 80:80
- 443:443/tcp
- 443:443/udp
volumes:
- ./nginx/conf/nginx.prod.conf:/etc/nginx/nginx.conf
- ./nginx/types/gzip_types.conf:/etc/nginx/gzip_types.conf
- ./nginx/types/brotli_types.conf:/etc/nginx/brotli_types.conf
- ./static:/usr/share/nginx/html/static
- ./certbot/www:/certbot/www
- ./certbot/conf/archive:/certbot/cert
worker_processes auto;
events {}
http {
server_tokens off;
map $sent_http_content_type $expires {
"text/html" epoch;
"text/html;charset=utf-8" epoch;
default off;
}
expires $expires;
gzip on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
include gzip_types.conf;
brotli on;
brotli_static on;
brotli_comp_level 6;
brotli_min_length 256;
include brotli_types.conf;
server {
listen 80;
listen [::]:80;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name wokalek.com;
http2 on;
listen 443 quic;
listen [::]:443 quic;
listen 443 ssl;
listen [::]:443 ssl;
quic_gso on;
quic_retry on;
ssl_early_data on;
ssl_protocols TLSv1.3;
ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem;
ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem;
add_header alt-svc 'h3=":8889"; ma=86400';
add_header QUIC-Status $http3;
return 301 https://wokalek.ru$request_uri;
}
server {
server_name statistic.wokalek.com;
http2 on;
listen 443 quic;
listen [::]:443 quic;
listen 443 ssl;
listen [::]:443 ssl;
quic_gso on;
quic_retry on;
ssl_early_data on;
ssl_protocols TLSv1.3;
ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem;
ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem;
add_header alt-svc 'h3=":8889"; ma=86400';
add_header QUIC-Status $http3;
return 301 https://statistic.wokalek.ru$request_uri;
}
server {
server_name statistic.wokalek.ru;
http2 on;
listen 443 quic;
listen [::]:443 quic;
listen 443 ssl;
listen [::]:443 ssl;
quic_gso on;
quic_retry on;
ssl_early_data on;
ssl_protocols TLSv1.3;
ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem;
ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem;
add_header alt-svc 'h3=":8889"; ma=86400';
add_header QUIC-Status $http3;
location /.well-known/acme-challenge {
root /certbot/www;
}
location / {
proxy_set_header Early-Data $ssl_early_data;
proxy_pass http://umami:3000;
}
}
server {
server_name wokalek.ru;
http2 on;
listen 443 quic;
listen [::]:443 quic;
listen 443 ssl;
listen [::]:443 ssl;
quic_gso on;
quic_retry on;
ssl_early_data on;
ssl_protocols TLSv1.3;
ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem;
ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem;
add_header alt-svc 'h3=":8889"; ma=86400';
add_header QUIC-Status $http3;
location /.well-known/acme-challenge {
root /certbot/www;
}
location ~ ^/static {
root /usr/share/nginx/html;
try_files $uri =404;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Early-Data $ssl_early_data;
proxy_pass http://nuxt:3000;
}
}
}And check is failing:
docker run -it --rm ymuski/curl-http3 curl -IL https://wokalek.ru/ --http3 --max-time 5You can check this out https://wokalek.ru ...
This can be seen at https://www.ssllabs.com/ssltest/analyze.html?d=wbc.macbre.net under "OCSP stapling" and with the warning when running run-docker.sh . A patch is available and can be added before building nginx for an alternative method for supporting OCSP stapling - https://github.com/kn007/patch/blob/master/Enable_BoringSSL_OCSP.patch .
Attempting to apply this patch in https://github.com/justdan6/docker-nginx-http3/tree/fix-ocsp-stapling but running into issues - justdan6#1
My use case is on linux/arm64, but the image here is just for amd64. Would you consider building multi-platform images? Just like the official image do.
The buildx provide this ability.
https://docs.docker.com/build/building/multi-platform/
Thanks a lot!
The above tests are conducted at the same time by accessing the same container of the same machine. The network environment is LAN
All Linux browsers are on the same computer
All windows browsers are on the same computer
These browsers can use http3 to access other http3 enabled website
| browser | platform | http3 access |
|---|---|---|
| edge-102.0.1245.33 | windows | no |
| edge -99.0.1150.55 | linux | no |
| firefox-100.0.2 | linux | no |
| firefox-101.0 | windows | yes |
| chrome-102.0.5005.63 | windows | no |
| chrome -100.0.4896.127 | linux | no |
Forced Chrome to access with HTTP3 to make an error
Use the following parameters to force chrome to use QUIC access
chrome --origin-to-force-quic-on=127.0.0.1:443Chrome will have the following errors
ERR_QUIC_PROTOCOL_ERRORBecause of this error message, I infer that this is the problem with docker nginx http3, because other http3 websites can run perfectly with the '--origin-to-force-quic-on' parameter
chrome --origin-to-force-quic-on=blog.cloudflare.com:443 Perfect accessHTTP3 opens correctly, but insufficient support
Firefox on Windows can use http3 access to prove this
The following command can also prove this
xxxx:~$ netstat -tunlp | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1818214/docker-prox
udp 0 0 0.0.0.0:443 0.0.0.0:* 1818228/docker-proxUse curl-http3 to access
docker run --rm --network host ymuski/curl-http3 curl -v https://127.0.0.1/internal_support/api_test --http3 2>&1 | tee /tmp/h3output
* Trying 127.0.0.1:443...
* Connect socket 5 over QUIC to 127.0.0.1:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 () port 443 (#0)
* h3 [:method: GET]
* h3 [:path: /internal_support/api_test]
* h3 [:scheme: https]
* h3 [:authority: 127.0.0.1]
* h3 [user-agent: curl/7.76.1-DEV]
* h3 [accept: */*]
* Using HTTP/3 Stream ID: 0 (easy handle 0x55b032487210)
> GET /internal_support/api_test HTTP/3
> Host: 127.0.0.1
> user-agent: curl/7.76.1-DEV
> accept: */*
>
< HTTP/3 200
< date: Wed, 08 Jun 2022 10:52:08 GMT
< content-type: application/json
< content-length: 427
< access-control-allow-origin: *
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< content-security-policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';
< alt-svc: h3=":443"; ma=5, h3-27=":443"; ma=5, h3-28=":443"; ma=5,h3-29=":443"; ma=5,h3-Q050=":443"; ma=5,h3-Q046=":443"; ma=5,h3-Q043=":443"; ma=5,quic=":443"; ma=5; v="46,43"
< quic-status: h3
<
{ [427 bytes data]
100 427 100 427 0 0 28466 0 --:--:-- --:--:-- --:--:-- 30500
* Connection #0 to host 127.0.0.1 left intact
{"status":"ok",....}
https.conf fileserver {
# quic and http/3
listen 443 http3 reuseport;
# http/2 and http/1.1
listen 443 ssl http2;
server_name localhost;
# openssl-generated pair for local development
# https://letsencrypt.org/docs/certificates-for-localhost/
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
# Enable all TLS versions (TLSv1.3 is required for QUIC).
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.3;
# 0-RTT QUIC connection resumption
ssl_early_data on;
# Add Alt-Svc header to negotiate HTTP/3.
# m=5: Easy to observe HTTP2-HTTP3 switching process
add_header alt-svc 'h3=":443"; ma=5, h3-27=":443"; ma=5, h3-28=":443"; ma=5,h3-29=":443"; ma=5,h3-Q050=":443"; ma=5,h3-Q046=":443"; ma=5,h3-Q043=":443"; ma=5,quic=":443"; ma=5; v="46,43"';
# add_header alt-svc 'h3=":443"; h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400';
add_header QUIC-Status $http3; # Sent when QUIC was used
# proxy_set_header Http-Version $server_protocol;
location / {
proxy_pass https://172.17.0.1:5000;
}
}Inspired by https://github.com/bunkerity/bunkerized-nginx
https://serverfault.com/a/1015876/448086
server_tokens "";
fails with: #26 1.388 nginx: [emerg] invalid value "" in /etc/nginx/nginx.conf:35
or
https://github.com/openresty/headers-more-nginx-module#more_clear_headers:
more_clear_headers 'server';
https://github.com/bunkerity/bunkerized-nginx/blob/master/helpers/install.sh#L491-L493
And https://www.upguard.com/blog/10-tips-for-securing-your-nginx-deployment
Spent hours trying to make this work, it just doesn't want to work.
After trying in my own repo, I thought I'd try run-docker.sh after downloading this repo - it has the wrong image (?) and doesn't work for me and not clear why.
Thanks for putting this out and presumably this wont get a response but urgghhh the README was so promising
docker run -it --rm ymuski/curl-http3 curl -kIL https://localhost:8889 --http3
curl: (7) QUIC: connection to ::1 port 8889 refused
From #nginx irc on libera
02:02 nginx-quic is terribly outdated, you should not use it
Current dockerfile uses this repo instead of mainline nginx repo
https://github.com/macbre/docker-nginx-http3/blob/ff89fd5e24aa3af5406894565ab4d5340dd84635/Dockerfile#L127C2-L127C106
Hi,
I am facing below error on nginx.conf
2023/02/08 14:53:41 [emerg] 1#1: unknown "quic" variable nginx: [emerg] unknown "quic" variable
While using the below config into http { } block :
# Sent when QUIC was used add_header QUIC-Status $quic;
Any idea ?
The build fails with the following error:
checking for OpenSSL library ... not found
checking for OpenSSL library in /usr/local/ ... not found
checking for OpenSSL library in /usr/pkg/ ... not found
checking for OpenSSL library in /opt/local/ ... not found
./auto/configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.
I think it may be related to this change in BoringSSL:
https://boringssl.googlesource.com/boringssl/+/c52806157c97105da7fdc2b021d0a0fcd5186bf3
Official images have njs module built in since 2019. Is it possible to build it in this image?
njs is a subset of the JavaScript language that allows extending nginx functionality. njs is created in compliance with ECMAScript 5.1 (strict mode) with some ECMAScript 6 and later extensions. The compliance is still evolving.
When loading the GeoIP2 Module in Nginx config i get:
nginx: [emerg] dlopen() "/usr/lib/nginx/modules/ngx_http_geoip2_module.so" failed (Error loading shared library libmaxminddb.so.0: No such file or directory (needed by /usr/lib/nginx/modules/ngx_http_geoip2_module.so)) in /etc/nginx/nginx.conf:2
nginx: [emerg] dlopen() "/usr/lib/nginx/modules/ngx_http_geoip2_module.so" failed (Error loading shared library libmaxminddb.so.0: No such file or directory (needed by /usr/lib/nginx/modules/ngx_http_geoip2_module.so)) in /etc/nginx/nginx.conf:2
https://hg.nginx.org/nginx-quic/file/quic/README#l72
You will need a BoringSSL [4] library that provides QUIC support
$ hg clone -b quic https://hg.nginx.org/nginx-quic
$ cd nginx-quic
$ ./auto/configure --with-debug --with-http_v3_module \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto"
$ make
When configuring nginx, you can enable QUIC and HTTP/3 using the
following new configuration options:
--with-http_v3_module - enable QUIC and HTTP/3
--with-http_quic_module - enable QUIC for older HTTP versions
--with-stream_quic_module - enable QUIC in Stream
Is it possible to have something like this? It enables a few directives like opentracing to expose traces.
Environment:
Ubuntu 20
Docker version 24.0.7
2023/12/27 01:02:33 [emerg] 32#32: cannot load certificate key "/etc/nginx/./../ssl/my.key": BIO_new_file() failed (SSL: error:0200000d:system library:OPENSSL_internal:Permission denied:fopen('/etc/nginx/./../ssl/my.key','r') error:11000070:BIO routines:OPENSSL_internal:SYS_LIB)
nginx: [emerg] cannot load certificate key "/etc/nginx/./../ssl/my.key": BIO_new_file() failed (SSL: error:0200000d:system library:OPENSSL_internal:Permission denied:fopen('/etc/nginx/./../ssl/my.key','r') error:11000070:BIO routines:OPENSSL_internal:SYS_LIB)
Changes with nginx 1.19.2 11 Aug 2020
*) Change: now nginx starts closing keepalive connections before all
free worker connections are exhausted, and logs a warning about this
to the error log.
*) Change: optimization of client request body reading when using
chunked transfer encoding.
*) Bugfix: memory leak if the "ssl_ocsp" directive was used.
*) Bugfix: "zero size buf in output" alerts might appear in logs if a
FastCGI server returned an incorrect response; the bug had appeared
in 1.19.1.
*) Bugfix: a segmentation fault might occur in a worker process if
different large_client_header_buffers sizes were used in different
virtual servers.
*) Bugfix: SSL shutdown might not work.
*) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages
might appear in logs.
*) Bugfix: in the ngx_http_slice_module.
*) Bugfix: in the ngx_http_xslt_filter_module.
Hi Maciej Brencz. You made a wonderful job updating this Dockerfile!
I saw that you recently removed the Lua support. Without Lua or perl module, I think it's not possible to enforce lower case urls (https://www.rewriteguide.com/nginx-enforce-lower-case-urls/) and keep SEO consistent.
Maybe it's possible to build the image with perl module?
Thank you in advance.
Add nginx 1.19.7
Wed Jun 5 23:04:02 UTC 2024
This week we took the next step in our commitment to the Open Source
community by moving the official njs code repository to GitHub
(https://github.com/nginx/njs).-- https://mailman.nginx.org/pipermail/nginx/2024-June/WBTVAEMFIOQDL3VEBP7Z65Q4E56T73L6.html
Hello there, thanks a lot for your work! Could you please release nginx 1.25.3 from October 23? Changelog: https://nginx.org/en/CHANGES
Chromium on desktop recently enabled support by default for Facebook's Zstandard compression format. I tested it and it works fine with Caddy. There is a Nginx module available.
Incorporate Cloudflare's patch with HTTP/3 support -> https://blog.cloudflare.com/experiment-with-http-3-using-nginx-and-quiche/ / https://github.com/cloudflare/quiche/tree/master/extras/nginx / https://github.com/nwtgck/docker-nginx-http3/blob/master/Dockerfile
$ docker run -it --rm ymuski/curl-http3 curl -IL https://blog.cloudflare.com --http3
...
HTTP/3 200
date: Wed, 28 Apr 2021 13:32:06 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d1693e08f51c7f8672d3a6cdbe91fa8131619616726; expires=Fri, 28-May-21 13:32:06 GMT; path=/; domain=.blog.cloudflare.com; HttpOnly; SameSite=Lax; Secure
x-powered-by: Express
cache-control: public, max-age=60
vary: Accept-Encoding
cf-cache-status: REVALIDATED
expires: Wed, 28 Apr 2021 13:33:06 GMT
cf-request-id: 09ba4713ff000034c0d792d000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=ed61fb9320c34e521bfbbaea016b19c160ada71e-1619616726-1800-AfM8ne2jYTpLyoN84LuPfCPOLpJlQQEJNUJGr70E23RcOB6xt6bWTZrGDCQDMrCkuAbzTHqk+PHbPcCrIAO8muk=; path=/; expires=Wed, 28-Apr-21 14:02:06 GMT; domain=.blog.cloudflare.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 6470a79998e234c0-DUB
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Latest image version,set up container error, error msg: Can't load certificate /etc/nginx/ssl/loalhost.crt not such file or directory
I just do not get this image to run, something with permissions is wrong.
docker logs nginx
I keep getting:
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2024/05/18 01:14:09 [emerg] 1#1: open() "/var/log/nginx/error.log" failed (13: Permission denied)
I do use this compose file on ubuntu 24.04. /docker/nginx and its subdirectory are all used by user/group nginx:nginx; uid/gid: 1002:1002.
services:
nginx:
image: macbre/nginx-http3
build:
context: ./nginx/
args:
NGINX_USER_UID: 1002
NGINX_GROUP_GID: 1002
environment:
NGINX_USER_UID: 1002
NGINX_GROUP_GID: 1002
container_name: nginx
user: nginx
volumes:
- /docker/nginx/etc/conf.d:/etc/nginx/conf.d/:ro
- /docker/nginx/etc/main.d:/etc/nginx/main.d/:ro
- /docker/nginx/html:/var/www/html:ro
- /docker/nginx/logs:/var/log/nginx/:rw
ports:
- '80:80/tcp'
What am I doing wrong?
I think it would be good to add an example how to expose HTTP/3 with docker compose
I sent a pull request, I await acceptance or any comments if so to correct it
static.conf
server {
listen 443 http3 reuseport;
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
# Enable all TLS versions (TLSv1.3 is required for QUIC).
ssl_protocols TLSv1.3;
# 0-RTT QUIC connection resumption
ssl_early_data on;
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3-27=":4300"; ma=86400, h3-28=":4300"; ma=86400, h3-29=":4300"; ma=86400';
add_header QUIC-Status $http3; # Sent when QUIC was used
# resolver 127.0.0.11;
autoindex off;
root /usr/share/nginx/html;
index index.html;
# limit_req zone=perip burst=5 nodelay;
# limit_req_status 460;
# limit_conn perserver 5;
# limit_rate 10240k;
}
docker-compose.yml
version: "3.8"
services:
ssb-http3:
image: macbre/nginx-http3
container_name: docker-ssb-demo
restart: always
ports:
- "0.0.0.0:4300:443/tcp"
- "0.0.0.0:4300:443/udp"
environment:
- "NODE_ENV=development"
networks:
- demo-connect
volumes:
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/static.conf:/etc/nginx/conf.d/static.conf:ro
- ./static:/usr/share/nginx/html
- ./ssl:/etc/nginx/ssl
networks:
demo-connect:
driver: bridgeubuntu@ubuntu-vm:~/Documents/ssb$ docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------
docker-ssb-demo nginx -g daemon off; Up 0.0.0.0:4300->443/tcp, 0.0.0.0:4300->443/udp, 8080/tcp, 8443/tcp
ubuntu@ubuntu-vm:~/Documents/ssb$ docker run -it --rm ymuski/curl-http3 curl -ILv https://localhost.dalisoft.uz:4300 --http3
* Trying 127.0.0.1:4300...
* Connect socket 5 over QUIC to 127.0.0.1:4300
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* quiche: recv() unexpectedly returned -1 (errno: 111, socket 5)
* connect to 127.0.0.1 port 4300 failed: Connection refused
* Failed to connect to localhost.dalisoft.uz port 4300: Connection refused
* Closing connection 0
curl: (7) quiche: recv() unexpectedly returned -1 (errno: 111, socket 5)
ubuntu@ubuntu-vm:~/Documents/ssb$ docker macbre/nginx-http3 latestos ubuntu 22.04 (amd64)HTTP/3 responses
When i use you provided config
# quic and http/3
listen 443 http3 reuseport;
# http/2 and http/1.1
listen 443 ssl http2;
i get following error:
duplicate listen options for 0.0.0.0:443
uname -a: Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Build Command: docker build . -t macbre/nginx-http3 -f Dockerfile
#0 16.56 ninja: job failed: /usr/bin/cc -DBORINGSSL_DISPATCH_TEST -DBORINGSSL_IMPLEMENTATION -I/usr/src/boringssl/crypto/fipsmodule/../../include -Wa,--noexecstack -Wa,-g -MD -MT crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha512-armv8-linux.S.o -MF crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha512-armv8-linux.S.o.d -o crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha512-armv8-linux.S.o -c /usr/src/boringssl/build/crypto/fipsmodule/sha512-armv8-linux.S
#0 16.56 /usr/src/boringssl/build/crypto/fipsmodule/sha512-armv8-linux.S:62:18: error: missing binary operator before token "("
#0 16.56 62 | #if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
#0 16.56 | ^
#0 16.61 ninja: job failed: /usr/bin/cc -DBORINGSSL_DISPATCH_TEST -DBORINGSSL_IMPLEMENTATION -I/usr/src/boringssl/crypto/fipsmodule/../../include -Wa,--noexecstack -Wa,-g -MD -MT crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha256-armv8-linux.S.o -MF crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha256-armv8-linux.S.o.d -o crypto/fipsmodule/CMakeFiles/fipsmodule.dir/sha256-armv8-linux.S.o -c /usr/src/boringssl/build/crypto/fipsmodule/sha256-armv8-linux.S
#0 16.61 /usr/src/boringssl/build/crypto/fipsmodule/sha256-armv8-linux.S:62:18: error: missing binary operator before token "("
#0 16.61 62 | #if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
#0 16.61 | ^
#0 37.55 ninja: subcommands failed
I'm unfortunately not proficient in the technologies used here. I'd be happy to provide more Information to resolve this problem.
Using the image as defined in https://hub.docker.com/r/macbre/nginx-http3 , but nginx swears:
2022-09-29 20:43:41 | 2022/09/29 17:43:41 [emerg] 1#1: unknown "quic" variable
on this line in the config
# Sent when QUIC was used
add_header QUIC-Status $quic;
When trying to build the docker image it crashes on an error:
#16 17.39 -o objs/src/event/quic/ngx_event_quic_transport.o \
#16 17.39 src/event/quic/ngx_event_quic_transport.c
#16 17.40 src/event/ngx_event_openssl.c: In function 'ngx_ssl_get_curve':
#16 17.40 src/event/ngx_event_openssl.c:5110:20: error: 'TLSEXT_nid_unknown' undeclared (first use in this function)
#16 17.40 5110 | if ((nid & TLSEXT_nid_unknown) == 0) {
#16 17.40 | ^~~~~~~~~~~~~~~~~~
#16 17.40 src/event/ngx_event_openssl.c:5110:20: note: each undeclared identifier is reported only once for each function it appears in
#16 17.44 make[1]: *** [objs/Makefile:1409: objs/src/event/ngx_event_openssl.o] Error 1
#16 17.44 make[1]: *** Waiting for unfinished jobs....
#16 18.49 make[1]: Leaving directory '/usr/src/nginx-1.23.4'
#16 18.50 make: *** [Makefile:10: build] Error 2
------
executor failed running [/bin/sh -c echo "Building nginx ..." && cd /usr/src/nginx-$NGINX_VERSION && ./auto/configure $CONFIG --with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" && make -j"$(getconf _NPROCESSORS_ONLN)"]: exit code: 2
If I remove:
&& ./auto/configure $CONFIG \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto" \
the build succeeds. So it seems an issue with boringssl but can't find out why.
In nginx.conf, line 48 sets the 'Content-Security-Policy' header:
more_set_headers "Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';";
This sandboxing mode doesn't include the allow-modals keyword, which results in:
Ignored call to 'alert()'. The document is sandboxed, and the 'allow-modals' keyword is not set.
when trying to call window.alert() from JS. This also applies to window.prompt() and, in my case, window.print().
Is this by design?
Since https://hg.nginx.org/nginx/rev/235d482ef6bc the experimental quic branch (that this image is based on) has been merged into the main branch.
Let's use the stable nginx from now on:
Changes with nginx 1.25.0 23 May 2023
*) Feature: experimental HTTP/3 support.
Before the upgrade , the config had the form
proxy:
image: macbre/nginx-http3:latest
environment:
user: nginx
networks:
- localNet_overlay
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 443
published: 443
protocol: udp
mode: host
volumes:
- ./certs:/etc/nginx/certs:ro
- ./config/docker/nginx/config:/etc/nginx/config:ro
- ./config/docker/nginx/template:/etc/nginx/main-config:ro
- upload_vol:/var/upload/files/:ro
- assets_vol:/var/www/
command: ['nginx', '-c', '/etc/nginx/main-config/nginx.conf', '-g', 'daemon off;']
healthcheck:
test:
[
'CMD-SHELL',
'wget --quiet --tries=1 --spider http://localhost/health-check --no-check-certificate || exit 1',
]
retries: 7
after the update, nginx stopped responding to requests After reading scraps of information and viewing service errors when it crashed - I commented on port bindings, but it didn't help!
# ports:
# - target: 80
# published: 80
# protocol: tcp
# mode: host
# - target: 443
# published: 443
# protocol: tcp
# mode: host
# - target: 443
# published: 443
# protocol: udp
# mode: host
The service works fine - health checks are registering in the log, but it does not respond to requests from outside Docker at all - requests are not registering in the log at all
PS: running in Docker Desktop fo development so ignore stapling errors
What could be the problem?
nginx.conf:
load_module modules/ngx_http_geoip_module.so;
#24 0.209 nginx: [emerg] dlopen() "/etc/nginx/modules/ngx_http_geoip_module.so" failed (Dynamic loading not supported) in /etc/nginx/nginx.conf:1
See #40
As my research, i'm made list of docker images to compare different nginx images
| Image | HTTP3 | Brotli | kTLS | njs | Grade A+ SSL |
|---|---|---|---|---|---|
| macbre/nginx-http3 | + | + | - | + | + |
| ymuski/nginx-quic | + | + | - | - | - |
| fholzer/nginx-brotli | + | + | - | - | - |
| nginx | + | - | + | - | - |
This package only does not have kTLS/sendfile support, if adding would be possible, it will be nice
Similar issue: #143
Hi !
I'm trying to build an HTTP3 server with your Docker image, but can't get it working :/
I'm starting it with the command :
docker run --rm -p 0.0.0.0:8888:80 -p 0.0.0.0:443:443/tcp -p 0.0.0.0:443:443/udp \
-v "$PWD/tests":/static:ro \
-v "$PWD/tests/modules.conf":/etc/nginx/main.d/modules.conf:ro \
-v "$PWD/tests/perl_rewrite.conf":/etc/nginx/conf.d/perl_rewrite.conf:ro \
-v "$PWD/tests/static.conf":/etc/nginx/conf.d/static.conf:ro \
-v "$PWD/tests/https.conf":/etc/nginx/conf.d/https.conf:ro \
-v "$PWD/tests/localhost.crt":/etc/nginx/ssl/localhost.crt:ro \
-v "$PWD/tests/localhost.key":/etc/nginx/ssl/localhost.key:ro \
--name test_nginx \
-t macbre/nginx-http3:latest
Before that I rewrote the https.conf to send the Alt-Svc header with port 443 instead of 8443.
I just replaced the certificates by some I built with Certbot, to make them valid.
If I load my domain in Chrome or Firefox (http3 enabled), the It works page (index.html) loads, but in the Network tab I can see it use HTTP2 instead of 3.
If I test it on https://www.http3check.net/, it fails with "QUIC connection could not be established"
Do you have any clue, or a working live example ?
Thanks !
I get this message in log when the container starts
2023-01-19 03:13:49 | 2023/01/19 00:13:49 [alert] 1#1: unlink() "/var/run/nginx.pid" failed (13: Permission denied)
Here is config
proxy:
image: macbre/nginx-http3:latest
environment:
user: nginx
networks:
- local_net_overlay
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 443
published: 443
protocol: udp
mode: host
volumes:
- ./certs:/etc/nginx/certs:ro
- ./config/docker/nginx/config:/etc/nginx/config:ro
- ./config/docker/nginx/template:/etc/nginx/main-config:ro
command: ['nginx', '-c', '/etc/nginx/main-config/nginx.conf', '-g', 'daemon off;']
healthcheck:
test:
[
'CMD-SHELL',
'wget --quiet --tries=1 --spider http://localhost/health-check --no-check-certificate || exit 1',
]http://nginx.org/en/CHANGES-1.18
2020-04-21
nginx-1.18.0 stable version has been released, incorporating new features and bug fixes from the 1.17.x mainline branch - including the dry run mode in limit_req and limit_conn, variables support in the limit_rate, limit_rate_after, and grpc_pass directives, the auth_delay directive, and more.
Running containers as root is not the best practice (it violates the Principle of Least Privilege (PoLP) when superuser permissions are not strictly required) and nginx does not need to listen on ports from the range of 1-1023.
since 1.23.3 i got this at startup, last ok version is 1.23.2
Hi,
The fastcgi_param "HTTP_HOST" is not transmitted by default in http3 but when i fallback to http2, is back.
is it normal ?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.