This container builds the latest stable Nginx with the latest BoringSSL code. It was created to aid with the easy deployment of TLS 1.3 services at a time when most Linux distributions were not packaging a version of OpenSSL that could handle it.

There are versions of this container which build against:

• BoringSSL
• LibreSSL
• OpenSSL

Run this container as a quick test (it will listen on http://127.0.0.1 and you will see logs directly in the terminal when connections are made):

docker run --rm -it -p 80:80 registry.gitlab.com/alexhaydock/boringnginx

Run this container as a daemon with your own config file:

docker run -d -p 80:80 -p 443:443 -v /path/to/nginx.conf:/etc/nginx.conf:ro --name nginx registry.gitlab.com/alexhaydock/boringnginx

If you have a regular install of Docker on an x64_64 machine, you can build this container like so:

docker build --rm -t boringnginx https://gitlab.com/alexhaydock/boringnginx.git

You can now use the same run commands as above, simply substituting registry.gitlab.com/alexhaydock/boringnginx with boringnginx.

You can lock down this container and run without root and dropping all capabilities by using the --user and --cap-drop=ALL arguments:

docker run --rm -it -p 80:8080 --user 6666 --cap-drop=ALL registry.gitlab.com/alexhaydock/boringnginx

You will need to make sure that the UID you pick matches the one you have set as the NGINX_ID in the Dockerfile, and that any configs which you mount into the container are owned by this UID (it does not need to exist on the host system).

If you are running rootless like this, you will also want to ensure that the nginx.conf does not attempt to listen on any ports below 1000 (you can still listen on :80 and :443 externally since the Docker daemon runs as root and can handle this - Nginx does not need to).