Nginx Docker Container Images

• Docker images
• Environment variables
• Build arguments
• Nginx modules
  • ModSecurity
• Default behaviour
• Customization
• Virtual hosts presets
  • HTML
  • HTTP proxy (application server)
  • Django
  • PHP-based (FastCGI)
    • PHP
    • WordPress
    • Drupal
    • Matomo
  • Custom preset
  • No preset
• Orchestration actions

Docker Images

❗For better reliability we release images with stability tags (wodby/nginx:1.26-X.X.X) which correspond to git tags. We strongly recommend using images only with stability tags.

Overview:

• All images based on Alpine Linux
• Base image: wodby/alpine
• GitHub actions builds
• Docker Hub

Supported tags and respective Dockerfile links:

• 1.27, 1, latest (Dockerfile)
• 1.26 (Dockerfile)

All images built for linux/amd64 and linux/arm64

Environment Variables

Variable	Default Value	Description
NGINX_ALLOW_ACCESS_HIDDEN_FILES
NGINX_BACKEND_FAIL_TIMEOUT	0
NGINX_BACKEND_HOST	Varies with a preset
NGINX_BACKEND_PORT	Varies with a preset
NGINX_BROTLI	on
NGINX_BROTLI_STATIC	on
NGINX_BROTLI_COMP_LEVEL	1
NGINX_CLIENT_BODY_BUFFER_SIZE	16k
NGINX_CLIENT_BODY_TIMEOUT	60s
NGINX_CLIENT_HEADER_BUFFER_SIZE	4k
NGINX_CLIENT_HEADER_TIMEOUT	60s
NGINX_CLIENT_MAX_BODY_SIZE	32m
NGINX_CONF_INCLUDE	conf.d/*.conf
NGINX_DISABLE_CACHING
NGINX_DJANGO_MEDIA_ROOT	/var/www/html/media/
NGINX_DJANGO_MEDIA_URL	/media/
NGINX_DJANGO_STATIC_ROOT	/var/www/html/static/
NGINX_DJANGO_STATIC_URL	/static/
NGINX_DRUPAL_ALLOW_XML_ENDPOINTS
NGINX_DRUPAL_FILE_PROXY_URL		e.g. http://dev.example.com
NGINX_DRUPAL_FILES_STATIC_EXT_REGEX	txt
NGINX_DRUPAL_HIDE_HEADERS
NGINX_DRUPAL_XMLRPC_SERVER_NAME		Drupal 7 only
NGINX_DRUPAL_NOT_FOUND_REGEX	(see Drupal)
NGINX_WP_NOT_FOUND_REGEX	(see Wordpress)
NGINX_ERROR_403_URI
NGINX_ERROR_404_URI
NGINX_ERROR_LOG_LEVEL	error
NGINX_ERROR_MESSAGE_50x
NGINX_FASTCGI_BUFFER_SIZE	32k	For PHP-based presets only
NGINX_FASTCGI_BUFFERS	16 32k	For PHP-based presets only
NGINX_FASTCGI_INDEX	index.php	For PHP-based presets only
NGINX_FASTCGI_INTERCEPT_ERRORS	on	For PHP-based presets only
NGINX_FASTCGI_READ_TIMEOUT	900	For PHP-based presets only
NGINX_GZIP_BUFFERS	16 8k
NGINX_GZIP_COMP_LEVEL	1
NGINX_GZIP_DISABLE	msie6
NGINX_GZIP_HTTP_VERSION	1.1
NGINX_GZIP_MIN_LENGTH	20
NGINX_GZIP_PROXIED	any
NGINX_GZIP_VARY	on
NGINX_GZIP	on
NGINX_HEADERS_CONTENT_SECURITY_POLICY	frame-ancestors: 'none'	different for Drupal and WP presets
NGINX_HIDE_50x_ERRORS
NGINX_HTTP2
NGINX_INDEX_FILE	Varies with a preset	Hard-coded for Drupal and WP
NGINX_KEEPALIVE_REQUESTS	100
NGINX_KEEPALIVE_TIMEOUT	75s
NGINX_LARGE_CLIENT_HEADER_BUFFERS	8 16k
NGINX_LOG_FORMAT_OVERRIDE
NGINX_METRICS_ENABLED	off
NGINX_METRICS_FORMAT	html	html, json, jsonp, prometheus
NGINX_METRICS_ALLOW_FROM
NGINX_MODSECURITY_ENABLED		See ModSecurity
NGINX_MODSECURITY_INBOUND_ANOMALY_SCORE_THRESHOLD	7
NGINX_MODSECURITY_OUTBOUND_ANOMALY_SCORE_THRESHOLD	7
NGINX_MODSECURITY_POST_CORE_RULES		Location to rules loaded after CRS
NGINX_MODSECURITY_PRE_CORE_RULES		Location to rules loaded before CRS
NGINX_MODSECURITY_USE_OWASP_CRS		See ModSecurity
NGINX_MULTI_ACCEPT	on
NGINX_NO_DEFAULT_HEADERS
NGINX_REAL_IP_HEADER	X-Real-IP
NGINX_REAL_IP_RECURSIVE	off
NGINX_RESET_TIMEDOUT_CONNECTION	off
NGINX_SEND_TIMEOUT	60s
NGINX_SENDFILE	on
NGINX_SERVER_EXTRA_CONF_FILEPATH
NGINX_SERVER_NAME	default
NGINX_SERVER_ROOT	/var/www/html
NGINX_SERVER_TOKENS	off
NGINX_SET_REAL_IP_FROM
NGINX_SET_REAL_IPS_FROM		json array as string
NGINX_STATIC_404_TRY_INDEX
NGINX_STATIC_ACCESS_LOG	off
NGINX_STATIC_EXPIRES	1y
NGINX_STATIC_MP4_BUFFER_SIZE	1M
NGINX_STATIC_MP4_MAX_BUFFER_SIZE	5M
NGINX_STATIC_OPEN_FILE_CACHE_ERRORS	on
NGINX_STATIC_OPEN_FILE_CACHE_MIN_USES	2
NGINX_STATIC_OPEN_FILE_CACHE_VALID	30s
NGINX_STATIC_OPEN_FILE_CACHE	max=1000 inactive=30s
NGINX_STATIC_EXT_REGEX	(see below)
NGINX_STATUS_ALLOW_FROM		e.g. 172.18.0.0/16
NGINX_STATUS_ENABLED	off
NGINX_TCP_NODELAY	on
NGINX_TCP_NOPUSH	on
NGINX_TRACK_UPLOADS	uploads 60s
NGINX_UNDERSCORES_IN_HEADERS	off
NGINX_UPLOAD_PROGRESS	uploads 1m
NGINX_USER	nginx
NGINX_VHOST_NO_DEFAULTS
NGINX_VHOST_PRESET	html
NGINX_WORKER_CONNECTIONS	1024
NGINX_WORKER_PROCESSES	auto
NGINX_WP_FILE_PROXY_URL		e.g. http://dev.example.com
NGINX_WP_GOOGLE_XML_SITEMAP		See WordPress
NGINX_WP_YOAST_XML_SITEMAP		See WordPress

Static files extension defined via the regex and can be overridden via the env var NGINX_STATIC_EXT_REGEX, default:

css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp

Some environment variables can be overridden or added per preset.

Build arguments

Argument	Default value
WODBY_GROUP_ID	1000
WODBY_USER_ID	1000

Nginx modules

Name	Version	Dynamic
brotli	9aec15e
http_addition
http_auth_request
http_dav
http_flv
http_gunzip
http_gzip_static
http_image_filter		✓
http_modsecurity	See ModSecurity	✓
http_mp4
http_random_index
http_realip
http_secure_link
http_slice
http_ssl
http_stub_status
http_sub
http_uploadprogress	0.9.1
http_v2
http_xslt		✓
mail_ssl
stream_realip
stream_ssl
stream_ssl_preread
vts	3c6cf41

ModSecurity

Component	Version
ModSecurity Nginx module	1.0.0
ModSecurity Library	3.0.3
OWASP CRS	3.1.0

Compiled as a dynamic module, disabled by default. To enable set $NGINX_MODSECURITY_ENABLED to any value. Additionally, you can enable OWASP Core Rule Set (CRS) by setting $NGINX_MODSECURITY_USE_OWASP_CRS to any value, ️be wary since it may block some requests with the default configuration. See env vars starting with $NGINX_MODSECURITY_ for advanced configuration.

Default behavior

Applied to all presets by default, can be disabled via $NGINX_VHOST_NO_DEFAULTS:

• /.well-known/ location supported
• /ads.txt allowed
• /robots.txt allowed
• /humans.txt allowed
• /favicon.ico allowed
• .flv, .m4a, .mp4, .mov locations supported and handled with appropriate modules
• /.healthz location supported, requests not shown in access log

Customization

• Pass real IP from a reverse proxy via $NGINX_SET_REAL_IP_FROM, e.g. 172.17.0.0/16 for docker network
• Pass multiple real IP from reverse proxies via $NGINX_SET_REAL_IPS_FROM In a docker-compose.yml this can be done like this:

  environment:
    NGINX_SET_REAL_IPS_FROM: "[\"172.17.0.0/16\", \"192.168.0.10\"]"
  
  environment:
    NGINX_SET_REAL_IPS_FROM: |-
      ["172.17.0.0/16", "192.168.0.10"]
  

• Customize the header which value will be used to replace the client address via $NGINX_REAL_IP_HEADER
• Default recommended headers can be disabled via $NGINX_NO_DEFAULT_HEADERS (defined in nginx.conf)
• The value for the Content-Security-Policy header can be changed using $NGINX_HEADERS_CONTENT_SECURITY_POLICY, it's default value is frame-ancestors: 'none'. More information on this header can be found here.
• Error page file can be customized for HTTP errors 403 ($NGINX_ERROR_403_URI) and 404 ($NGINX_ERROR_404_URI)
• Default error page for HTTP errors 500, 502, 503, 504 can be disabled via $NGINX_HIDE_50x_ERRORS
• Access to hidden files (starting with .) can be allowed via $NGINX_ALLOW_ACCESS_HIDDEN_FILES
• Caching can be disabled via $NGINX_DISABLE_CACHING
• Add extra locations via $NGINX_SERVER_EXTRA_CONF_FILEPATH=/filepath/to/nginx-locations.conf, the file will be included at the end of default rules (server context)
• Completely override include of the virtual host config by overriding NGINX_CONF_INCLUDE, it will be included in nginx.conf
• Define custom preset
• Status page /.statusz can be enabled via $NGINX_STATUS_ENABLED, requests not shown in access log
• Metrics page /.metricsz can be enabled via $NGINX_METRICS_ENABLED, requests not shown in access log
• Metrics page format can be customized via $NGINX_METRICS_FORMAT, supports json, html, jsonp and prometheus

Virtual hosts presets

Virtual host preset html will be used by default, you can change it via env var $NGINX_VHOST_PRESET. The list of available presets:

HTML

• Preset template
• Usage: this preset selected by default

Overridden default values:

Variable	Default Value
NGINX_INDEX_FILE	index.html

HTTP proxy (application server)

• Preset template
• Usage: add NGINX_VHOST_PRESET=http-proxy and NGINX_BACKEND_HOST=[HOST]

Overridden default values:

Variable	Default Value
NGINX_BACKEND_HOST
NGINX_BACKEND_PORT	8080

Django

Same as HTTP proxy but with additional media/static locations for Django.

• Preset template
• Usage: add NGINX_VHOST_PRESET=django

Overridden default values:

Variable	Default Value
NGINX_BACKEND_HOST	python
NGINX_BACKEND_PORT	8080

PHP-based (FastCGI)

Overridden default values:

Variable	Default Value
NGINX_BACKEND_HOST	php
NGINX_BACKEND_PORT	9000

PHP

• Preset template
• Usage: add NGINX_VHOST_PRESET=php, optionally modify NGINX_BACKEND_HOST

Overridden default values:

Variable	Default Value
NGINX_INDEX_FILE	index.php index.html

WordPress

• Preset template
• Usage: add NGINX_VHOST_PRESET=wordpress, optionally modify NGINX_BACKEND_HOST
• Access to *.txt files allowed only if they are located in uploads directory
• Access to /wp-content/uploads/woocommerce_uploads disallowed
• Dynamic generated /robots.txt supported
• Supports /wp-sitemap.xml endpoint
• Alternative sitemap.xml endpoints:
  • For plugin Google XML Sitemap add $NGINX_WP_GOOGLE_XML_SITEMAP=1
  • For plugin Yoast SEO add $NGINX_WP_YOAST_XML_SITEMAP=1
• Default value of NGINX_HEADERS_CONTENT_SECURITY_POLICY overridden to frame-ancestors: 'self'

Default value of NGINX_WP_NOT_FOUND_REGEX (backspaces must be escaped) is: .+\\.(?:txt|md|pot|sh|.*sql?)|(?:composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$

Drupal

• Preset templates: Drupal 10, Drupal 9, Drupal 8, Drupal 7
• Usage: add NGINX_VHOST_PRESET= with the value of drupal10, drupal9, drupal8 or drupal7. Optionally modify NGINX_BACKEND_HOST
• If you want to use stage_file_proxy module, set $NGINX_STATIC_404_TRY_INDEX=1 to redirect 404 static files requests to Drupal
• Access to .txt (can be overridden via NGINX_DRUPAL_FILES_STATIC_EXT_REGEX) files allowed only if they are located in files directory
• Access to certs extensions gives 404 based on the value of $NGINX_DRUPAL_NOT_FOUND_REGEX
• Default value of NGINX_HEADERS_CONTENT_SECURITY_POLICY overridden to frame-ancestors: 'self'

Default value of NGINX_DRUPAL_NOT_FOUND_REGEX (backspaces must be escaped) is taken from Drupal's .htaccess and depends on the Drupal version:

Drupal 10/9/8:

\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$

Drupal 7:

\\.(engine|txt|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig\\.save)$

Matomo

Based on https://github.com/matomo-org/matomo-nginx

The default value of NGINX_STATIC_EXT_REGEX overridden:

css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp|json|html

Custom preset

You can use a custom by preset by mounting your preset to /etc/gotpl/presets/[my-preset-name].conf.tmpl and setting $NGINX_VHOST_PRESET=[my-preset-name].

No preset

To disable presets set $NGINX_VHOST_PRESET=""

Maintenance

Updates to Nginx and base image automated via wodby/images.

Orchestration actions

Usage:

make COMMAND [params ...]

commands:
    init
    git-checkout [target is_hash]
    check-ready [host max_try wait_seconds delay_seconds]

default params values:
    host localhost
    max_try 1
    wait_seconds 1
    delay_seconds 0