leberschnitzel/nginx-base
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
No description
14 commits 1 branch 0 tags 55 KiB
  • Dockerfile 100%
Find a file
Exact
leberschnitzel 0bd9db3f9f Deleteion - no longer needed
2026-03-02 10:35:22 +00:00
.forgejo/workflows Fix: use v4 tag instead of SHA for actions/checkout 2026-02-28 17:47:55 +00:00
.dockerignore Implement security hardening and CI/CD consolidation 2026-02-28 17:41:57 +00:00
.gitignore Implement security hardening and CI/CD consolidation 2026-02-28 17:41:57 +00:00
default.conf Implement security hardening and CI/CD consolidation 2026-02-28 17:41:57 +00:00
Dockerfile Implement security hardening and CI/CD consolidation 2026-02-28 17:41:57 +00:00
README.md doc: Add Security section to README 2026-03-02 10:34:59 +00:00

README.md

nginx-base

A minimal nginx Docker image based on Alpine Linux, designed to replace nginx:stable-alpine.

Pre-Build Information

  • latest (recommended): git.existiert.ch/leberschnitzel/nginx-base:latest
  • Alpine Latest: git.existiert.ch/leberschnitzel/nginx-base:1.28.0-alpine-latest
  • Alpine Edge: git.existiert.ch/leberschnitzel/nginx-base:1.28.0-alpine-edge

Build Information

  • Base Image: alpine:latest
  • Nginx Version: 1.28.0 (from Alpine repositories)
  • Image Size: ~10.4 MB

Motivation

The official nginx:stable-alpine image appears to be no longer actively updated and has known security issues. This project provides a drop-in replacement that:

  • Uses Alpine edge for the latest package updates
  • Includes --update flag during build for fresh package indexes
  • Maintains compatibility with existing nginx configurations

Features

  • Lightweight Alpine-based image
  • Nginx installed from Alpine repositories
  • Configured to run as a foreground process (daemon off)
  • Exposes port 80 by default

Security

This image includes several security hardening measures:

Security Headers

The default configuration includes the following security headers:

  • X-Frame-Options: DENY - Prevents clickjacking
  • X-Content-Type-Options: nosniff - Prevents MIME-type sniffing
  • X-XSS-Protection: 1; mode=block - Enables XSS filtering
  • Content-Security-Policy: default-src 'self' - Restricts content to same-origin
  • server_tokens off - Hides nginx version information

Alpine Base

Uses Alpine Linux for a minimal attack surface, with packages installed from edge repository for latest security patches.

Custom Configuration Considerations

When using custom configuration files, security headers must be explicitly included:

  • Default config location: /etc/nginx/http.d/default.conf
  • Security headers are defined in the default config
  • If you provide a custom config without these headers, they will be disabled

To preserve security headers with custom configuration:

docker run -p 80:80 -v ./custom.conf:/etc/nginx/http.d/default.conf nginx-base

Or in a Dockerfile:

FROM nginx-base
COPY custom.conf /etc/nginx/http.d/default.conf

Usage

Build the image

docker build -t nginx-base .

Run with default configuration

docker run -p 80:80 nginx-base

Mount custom configuration

docker run -p 80:80 -v ./custom.conf:/etc/nginx/http.d/default.conf nginx-base

Serve static files

docker run -p 80:80 -v ./html:/usr/share/nginx/html nginx-base

Customization

The default configuration serves files from /usr/share/nginx/html with basic error handling. Modify default.conf to customize:

  • Server name and ports
  • Location blocks
  • Reverse proxy settings
  • SSL/TLS configuration

Build Arguments

Argument Default Description
ALPINE_VERSION latest Alpine base image tag (latest, edge, or specific version like 3.20)

Build with different Alpine versions

# Use edge for rolling updates
docker build --build-arg ALPINE_VERSION=edge -t nginx-base:edge .

# Pin to a specific version
docker build --build-arg ALPINE_VERSION=3.20 -t nginx-base:3.20 .

Notes

  • This image uses Alpine latest by default for stable releases
  • Change ALPINE_VERSION build arg to edge for rolling updates (more recent packages, less predictable)