lzlrd · October 18, 2023 03:00
diff --git a/Dockerfile b/Dockerfile
 FROM alpine:latest

 ENV LD_PRELOAD=/usr/lib/libmimalloc-secure.so
 ENV MIMALLOC_LARGE_OS_PAGES=1
 ENV NGINX_VERSION=1.25.2

 RUN GPG_KEYS=13C82A63B603576156E30A4EA0EA981B66B0D967 \
 	&& CONFIG="\
 		--prefix=/etc/nginx \
 		--sbin-path=/usr/sbin/nginx \
 		--modules-path=/usr/lib/nginx/modules \
 		--conf-path=/etc/nginx/nginx.conf \
 		--error-log-path=/var/log/nginx/error.log \
 		--http-log-path=/var/log/nginx/access.log \
 		--pid-path=/var/run/nginx.pid \
 		--lock-path=/var/run/nginx.lock \
 		--http-client-body-temp-path=/var/cache/nginx/client_temp \
 		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
 		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
 		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
 		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
 		--user=nginx \
 		--group=nginx \
 		--with-http_ssl_module \
 		--with-http_realip_module \
 		--with-http_addition_module \
 		--with-http_sub_module \
 		--with-http_dav_module \
 		--with-http_flv_module \
 		--with-http_mp4_module \
 		--with-http_gunzip_module \
 		--with-http_gzip_static_module \
 		--with-http_random_index_module \
 		--with-http_secure_link_module \
 		--with-http_stub_status_module \
 		--with-http_auth_request_module \
 		--with-http_xslt_module=dynamic \
 		--with-http_image_filter_module=dynamic \
 		--with-http_geoip_module=dynamic \
 		--with-http_perl_module=dynamic \
 		--with-threads \
 		--with-stream \
 		--with-stream_ssl_module \
 		--with-stream_ssl_preread_module \
 		--with-stream_realip_module \
 		--with-stream_geoip_module=dynamic \
 		--with-http_slice_module \
 		--with-mail \
 		--with-mail_ssl_module \
 		--with-compat \
 		--with-file-aio \
 		--with-http_v2_module \
 		--with-http_v3_module \
 		--with-cc-opt=-march=native \
 		--with-cc-opt=-O3 \
 		--with-cc-opt=-mpclmul \
 		--with-cc-opt=-fgraphite-identity \
 		--with-cc-opt=-floop-nest-optimize \
 		--add-dynamic-module=/usr/src/ngx_headers_more \
 		--add-dynamic-module=/usr/src/ngx_brotli \
 		--add-dynamic-module=/usr/src/njs/nginx \
 		--add-dynamic-module=/usr/src/ngx_zstd \
 	" \
 	&& addgroup -S nginx \
 	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
 	&& apk add --no-cache --virtual .build-deps \
 		autoconf \
 		automake \
 		bind-tools \
 		binutils \
 		build-base \
 		ca-certificates \
 		cmake \
 		curl \
 		gcc \
 		gd-dev \
 		geoip-dev \
 		git \
 		gnupg \
 		go \
 		libc-dev \
 		libgcc \
 		libstdc++ \
 		libtool \
 		libxslt-dev \
 		linux-headers \
 		make \
 		pcre \
 		pcre-dev \
 		perl-dev \
 		su-exec \
 		tar \
 		tzdata \
 		mercurial \
 	&& (git clone --depth 1 --recursive https://github.com/zlib-ng/zlib-ng /usr/src/zlib-ng \
 		&& cmake \
 			-B /usr/src/zlib-ng/build \
 			-DCMAKE_BUILD_TYPE=Release \
 			-DCMAKE_INSTALL_PREFIX="/usr" \
 			-DCMAKE_INSTALL_LIBDIR="/lib" \
 			-DWITH_GTEST=OFF -DZLIB_COMPAT=ON \
 			-S /usr/src/zlib-ng \
 			-DWITH_NATIVE_INSTRUCTIONS=ON \
 			-DCMAKE_C_FLAGS="-mpclmul -fgraphite-identity -floop-nest-optimize" \
 		&& make -C /usr/src/zlib-ng/build -j$(getconf _NPROCESSORS_ONLN) \
 		&& make -C /usr/src/zlib-ng/build install) \
 	\
 	&& (git clone --depth 1 --recursive https://github.com/microsoft/mimalloc /usr/src/mimalloc \
 		&& cmake -B /usr/src/mimalloc/build -DCMAKE_C_FLAGS="-march=native -mpclmul -fgraphite-identity -floop-nest-optimize" -DCMAKE_INSTALL_PREFIX=/usr -DMI_SECURE=ON -S /usr/src/mimalloc \
 		&& make -C /usr/src/mimalloc/build -j$(getconf _NPROCESSORS_ONLN) \
 		&& make -C /usr/src/mimalloc/build install) \
 	\
 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
 	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc \
 	&& export GNUPGHOME="$(mktemp -d)" \
 	&& found=''; \
 	for server in \
 		ha.pool.sks-keyservers.net \
 		hkp://keyserver.ubuntu.com:80 \
 		hkp://p80.pool.sks-keyservers.net:80 \
 		pgp.mit.edu \
 	; do \
 		echo "Fetching GPG key $GPG_KEYS from $server"; \
 		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
 	done; \
 	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
 	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
 	&& rm -rf "$GNUPGHOME" nginx.tar.gz.asc \
 	&& mkdir -p /usr/src \
 	\
 	&& git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \
 	&& git clone --depth=1 --recurse-submodules https://github.com/tokers/zstd-nginx-module /usr/src/ngx_zstd \
 	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
 	&& hg clone http://hg.nginx.org/njs /usr/src/njs \
 	&& (git clone --depth 1 --recursive https://github.com/quictls/openssl /usr/src/quictls \
 		&& git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs /usr/src/liboqs \
 		&& git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider usr/src/oqs-provider \
 		&& cd /usr/src/quictls \
 		&& perl ./Configure "linux-x86_64" \
 			--prefix=/usr \
 			--libdir=lib \
 			--openssldir=/etc/ssl \
 			enable-ktls \
 			shared \
 			no-zlib \
 			no-async \
 			no-comp \
 			no-idea \
 			no-mdc2 \
 			no-rc5 \
 			no-ec2m \
 			no-ssl3 \
 			no-seed \
 			no-weak-ssl-ciphers \
 			"enable-ec_nistp_64_gcc_128" \
 			-march=native -O3 -mpclmul -fgraphite-identity -floop-nest-optimize \
 			-Wa,--noexecstack \
 		&& perl configdata.pm --dump \
 		&& make -j$(getconf _NPROCESSORS_ONLN) \
 		&& make install \
 		&& cmake -DOQS_DIST_BUILD=OFF -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/usr -S /usr/src/liboqs -B /usr/src/liboqs/build -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_DIST_BUILD=native -DCMAKE_C_FLAGS="-mpclmul -fgraphite-identity -floop-nest-optimize" \
 		&& make -C /usr/src/liboqs/build -j$(getconf _NPROCESSORS_ONLN) \
 		&& make -C /usr/src/liboqs/build install \
 		&& sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /etc/ssl/openssl.cnf \
 		&& sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /etc/ssl/openssl.cnf \
 		&& cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=/usr -S /usr/src/oqs-provider -B /usr/src/oqs-provider/build -DCMAKE_C_FLAGS="-march=native -O3 -mpclmul -fgraphite-identity -floop-nest-optimize" \
 		&& cmake --build /usr/src/oqs-provider/build \
 		&& cp /usr/src/oqs-provider/build/lib/oqsprovider.so /usr/lib/ossl-modules/) \
 	\
 	&& tar -zxC /usr/src -f nginx.tar.gz \
 	&& rm nginx.tar.gz \
 	&& cd /usr/src/nginx-$NGINX_VERSION \
 	&& curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.25.1%2B.patch -o dynamic_tls_records.patch \
 	&& patch -p1 < dynamic_tls_records.patch \
 	&& ./configure $CONFIG --with-debug \
 	&& make -j$(getconf _NPROCESSORS_ONLN) \
 	&& mv objs/nginx objs/nginx-debug \
 	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
 	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
 	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
 	&& mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \
 	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
 	&& ./configure $CONFIG \
 	&& make -j$(getconf _NPROCESSORS_ONLN) \
 	&& make install \
 	&& rm -rf /etc/nginx/html/ \
 	&& mkdir /etc/nginx/conf.d/ \
 	&& mkdir -p /usr/share/nginx/html/ \
 	&& install -m644 html/index.html /usr/share/nginx/html/ \
 	&& install -m644 html/50x.html /usr/share/nginx/html/ \
 	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
 	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
 	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
 	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
 	&& install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \
 	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
 	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
 	&& strip /usr/sbin/nginx* \
 	&& strip /usr/lib/nginx/modules/*.so \
 	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
 	&& rm -rf /usr/src/quictls /usr/src/liboqs /usr/src/oqs-provider /usr/src/ngx_* /usr/src/njs \
 	\
 	# Bring in gettext so we can get `envsubst`, then throw
 	# the rest away. To do this, we need to install `gettext`
 	# then move `envsubst` out of the way so `gettext` can
 	# be deleted completely, then move `envsubst` back.
 	&& apk add --no-cache --virtual .gettext gettext \
 	&& mv /usr/bin/envsubst /tmp/ \
 	\
 	&& runDeps="$( \
 		scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
 			| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
 			| sort -u \
 			| xargs -r apk info --installed \
 			| sort -u \
 	) tzdata ca-certificates" \
 	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
 	&& apk del .build-deps \
 	&& apk del .gettext \
 	&& mv /tmp/envsubst /usr/local/bin/ \
 	\
 	# Forward request and error logs to docker log collector.
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
 	&& ln -sf /dev/stderr /var/log/nginx/error.log

 COPY nginx.conf /etc/nginx/nginx.conf
 COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf

 LABEL description="NGINX Docker built top of rolling release QuicTLS, Zlib-ng, the ZSTD module, Mimalloc, and the OQS Provider." \
      maintainer="Diab Neiroukh <[email protected]>" \
      openssl="QuicTLS" \
      nginx="nginx $NGINX_VERSION"

 EXPOSE 80 443 443/udp

 STOPSIGNAL SIGTERM

 CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf

 # load_module modules/ngx_http_xslt_filter_module.so;
 # load_module modules/ngx_http_image_filter_module.so;
 # load_module modules/ngx_http_geoip_module.so;
 # load_module modules/ngx_http_perl_module.so;
 # load_module modules/ngx_stream_geoip_module.so;
 load_module modules/ngx_http_headers_more_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 #load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_js_module.so;

 user  nginx;
 worker_processes  1;

 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;

 pcre_jit  on;

 events {
    worker_connections  1024;
 }

 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    aio             threads;

    tcp_nopush      on;
    tcp_nodelay     on;
    server_tokens   off;

    keepalive_disable  msie6;

    ssl_dyn_rec_enable on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ecdh_curve X25519:P-521:P-384;
    ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 15m;
    ssl_session_tickets off;

    http2 on;
    http3 on;
    quic_retry on;
    ssl_early_data on;
    
    gzip_static on;
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types
        text/plain
        text/css
        text/x-component
        text/javascript application/javascript application/x-javascript
        text/xml application/xml application/rss+xml
        application/json
        application/vnd.ms-fontobject
        font/truetype font/opentype
        image/svg+xml;

    brotli_static on;
    #brotli on;
    #brotli_comp_level 6;
    #brotli_types
    #    text/plain
    #    text/css
    #    text/x-component
    #    text/javascript application/javascript application/x-javascript
    #    text/xml application/xml application/rss+xml
    #    application/json
    #    application/vnd.ms-fontobject
    #    font/truetype font/opentype
    #    image/svg+xml;

    include /etc/nginx/conf.d/*.conf;
 }
diff --git a/nginx.vh.no-default.conf b/nginx.vh.no-default.conf
 # Drop requests for unknown hosts
 #
 # If no default server is defined, nginx will use the first found server.
 # To prevent host header attacks, or other potential problems when an unknown
 # servername is used in a request, it's recommended to drop the request
 # returning 444 "no response".

 server {
  listen 80 default_server;
  return 444;
 }

 server {
  listen 443 ssl http2 default_server;
  ssl_reject_handshake on;
 }
	FROM alpine:latest

	ENV LD_PRELOAD=/usr/lib/libmimalloc-secure.so
	ENV MIMALLOC_LARGE_OS_PAGES=1
	ENV NGINX_VERSION=1.25.2

	RUN GPG_KEYS=13C82A63B603576156E30A4EA0EA981B66B0D967 \
	&& CONFIG="\
	--prefix=/etc/nginx \
	--sbin-path=/usr/sbin/nginx \
	--modules-path=/usr/lib/nginx/modules \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-log-path=/var/log/nginx/access.log \
	--pid-path=/var/run/nginx.pid \
	--lock-path=/var/run/nginx.lock \
	--http-client-body-temp-path=/var/cache/nginx/client_temp \
	--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
	--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
	--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
	--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
	--user=nginx \
	--group=nginx \
	--with-http_ssl_module \
	--with-http_realip_module \
	--with-http_addition_module \
	--with-http_sub_module \
	--with-http_dav_module \
	--with-http_flv_module \
	--with-http_mp4_module \
	--with-http_gunzip_module \
	--with-http_gzip_static_module \
	--with-http_random_index_module \
	--with-http_secure_link_module \
	--with-http_stub_status_module \
	--with-http_auth_request_module \
	--with-http_xslt_module=dynamic \
	--with-http_image_filter_module=dynamic \
	--with-http_geoip_module=dynamic \
	--with-http_perl_module=dynamic \
	--with-threads \
	--with-stream \
	--with-stream_ssl_module \
	--with-stream_ssl_preread_module \
	--with-stream_realip_module \
	--with-stream_geoip_module=dynamic \
	--with-http_slice_module \
	--with-mail \
	--with-mail_ssl_module \
	--with-compat \
	--with-file-aio \
	--with-http_v2_module \
	--with-http_v3_module \
	--with-cc-opt=-march=native \
	--with-cc-opt=-O3 \
	--with-cc-opt=-mpclmul \
	--with-cc-opt=-fgraphite-identity \
	--with-cc-opt=-floop-nest-optimize \
	--add-dynamic-module=/usr/src/ngx_headers_more \
	--add-dynamic-module=/usr/src/ngx_brotli \
	--add-dynamic-module=/usr/src/njs/nginx \
	--add-dynamic-module=/usr/src/ngx_zstd \
	" \
	&& addgroup -S nginx \
	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
	&& apk add --no-cache --virtual .build-deps \
	autoconf \
	automake \
	bind-tools \
	binutils \
	build-base \
	ca-certificates \
	cmake \
	curl \
	gcc \
	gd-dev \
	geoip-dev \
	git \
	gnupg \
	go \
	libc-dev \
	libgcc \
	libstdc++ \
	libtool \
	libxslt-dev \
	linux-headers \
	make \
	pcre \
	pcre-dev \
	perl-dev \
	su-exec \
	tar \
	tzdata \
	mercurial \
	&& (git clone --depth 1 --recursive https://github.com/zlib-ng/zlib-ng /usr/src/zlib-ng \
	&& cmake \
	-B /usr/src/zlib-ng/build \
	-DCMAKE_BUILD_TYPE=Release \
	-DCMAKE_INSTALL_PREFIX="/usr" \
	-DCMAKE_INSTALL_LIBDIR="/lib" \
	-DWITH_GTEST=OFF -DZLIB_COMPAT=ON \
	-S /usr/src/zlib-ng \
	-DWITH_NATIVE_INSTRUCTIONS=ON \
	-DCMAKE_C_FLAGS="-mpclmul -fgraphite-identity -floop-nest-optimize" \
	&& make -C /usr/src/zlib-ng/build -j$(getconf _NPROCESSORS_ONLN) \
	&& make -C /usr/src/zlib-ng/build install) \
	\
	&& (git clone --depth 1 --recursive https://github.com/microsoft/mimalloc /usr/src/mimalloc \
	&& cmake -B /usr/src/mimalloc/build -DCMAKE_C_FLAGS="-march=native -mpclmul -fgraphite-identity -floop-nest-optimize" -DCMAKE_INSTALL_PREFIX=/usr -DMI_SECURE=ON -S /usr/src/mimalloc \
	&& make -C /usr/src/mimalloc/build -j$(getconf _NPROCESSORS_ONLN) \
	&& make -C /usr/src/mimalloc/build install) \
	\
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc -o nginx.tar.gz.asc \
	&& export GNUPGHOME="$(mktemp -d)" \
	&& found=''; \
	for server in \
	ha.pool.sks-keyservers.net \
	hkp://keyserver.ubuntu.com:80 \
	hkp://p80.pool.sks-keyservers.net:80 \
	pgp.mit.edu \
	; do \
	echo "Fetching GPG key $GPG_KEYS from $server"; \
	gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
	done; \
	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
	&& rm -rf "$GNUPGHOME" nginx.tar.gz.asc \
	&& mkdir -p /usr/src \
	\
	&& git clone --depth=1 --recurse-submodules https://github.com/google/ngx_brotli /usr/src/ngx_brotli \
	&& git clone --depth=1 --recurse-submodules https://github.com/tokers/zstd-nginx-module /usr/src/ngx_zstd \
	&& git clone --depth=1 https://github.com/openresty/headers-more-nginx-module /usr/src/ngx_headers_more \
	&& hg clone http://hg.nginx.org/njs /usr/src/njs \
	&& (git clone --depth 1 --recursive https://github.com/quictls/openssl /usr/src/quictls \
	&& git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs /usr/src/liboqs \
	&& git clone --depth 1 --branch main https://github.com/open-quantum-safe/oqs-provider usr/src/oqs-provider \
	&& cd /usr/src/quictls \
	&& perl ./Configure "linux-x86_64" \
	--prefix=/usr \
	--libdir=lib \
	--openssldir=/etc/ssl \
	enable-ktls \
	shared \
	no-zlib \
	no-async \
	no-comp \
	no-idea \
	no-mdc2 \
	no-rc5 \
	no-ec2m \
	no-ssl3 \
	no-seed \
	no-weak-ssl-ciphers \
	"enable-ec_nistp_64_gcc_128" \
	-march=native -O3 -mpclmul -fgraphite-identity -floop-nest-optimize \
	-Wa,--noexecstack \
	&& perl configdata.pm --dump \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& make install \
	&& cmake -DOQS_DIST_BUILD=OFF -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/usr -S /usr/src/liboqs -B /usr/src/liboqs/build -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_DIST_BUILD=native -DCMAKE_C_FLAGS="-mpclmul -fgraphite-identity -floop-nest-optimize" \
	&& make -C /usr/src/liboqs/build -j$(getconf _NPROCESSORS_ONLN) \
	&& make -C /usr/src/liboqs/build install \
	&& sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /etc/ssl/openssl.cnf \
	&& sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /etc/ssl/openssl.cnf \
	&& cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=/usr -S /usr/src/oqs-provider -B /usr/src/oqs-provider/build -DCMAKE_C_FLAGS="-march=native -O3 -mpclmul -fgraphite-identity -floop-nest-optimize" \
	&& cmake --build /usr/src/oqs-provider/build \
	&& cp /usr/src/oqs-provider/build/lib/oqsprovider.so /usr/lib/ossl-modules/) \
	\
	&& tar -zxC /usr/src -f nginx.tar.gz \
	&& rm nginx.tar.gz \
	&& cd /usr/src/nginx-$NGINX_VERSION \
	&& curl -fSL https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_1.25.1%2B.patch -o dynamic_tls_records.patch \
	&& patch -p1 < dynamic_tls_records.patch \
	&& ./configure $CONFIG --with-debug \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& mv objs/nginx objs/nginx-debug \
	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
	&& mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \
	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
	&& ./configure $CONFIG \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& make install \
	&& rm -rf /etc/nginx/html/ \
	&& mkdir /etc/nginx/conf.d/ \
	&& mkdir -p /usr/share/nginx/html/ \
	&& install -m644 html/index.html /usr/share/nginx/html/ \
	&& install -m644 html/50x.html /usr/share/nginx/html/ \
	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
	&& install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \
	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
	&& strip /usr/sbin/nginx* \
	&& strip /usr/lib/nginx/modules/*.so \
	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
	&& rm -rf /usr/src/quictls /usr/src/liboqs /usr/src/oqs-provider /usr/src/ngx_* /usr/src/njs \
	\
	# Bring in gettext so we can get `envsubst`, then throw
	# the rest away. To do this, we need to install `gettext`
	# then move `envsubst` out of the way so `gettext` can
	# be deleted completely, then move `envsubst` back.
	&& apk add --no-cache --virtual .gettext gettext \
	&& mv /usr/bin/envsubst /tmp/ \
	\
	&& runDeps="$( \
	scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
	\| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
	\| sort -u \
	\| xargs -r apk info --installed \
	\| sort -u \
	) tzdata ca-certificates" \
	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
	&& apk del .build-deps \
	&& apk del .gettext \
	&& mv /tmp/envsubst /usr/local/bin/ \
	\
	# Forward request and error logs to docker log collector.
	&& ln -sf /dev/stdout /var/log/nginx/access.log \
	&& ln -sf /dev/stderr /var/log/nginx/error.log

	COPY nginx.conf /etc/nginx/nginx.conf
	COPY nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf

	LABEL description="NGINX Docker built top of rolling release QuicTLS, Zlib-ng, the ZSTD module, Mimalloc, and the OQS Provider." \
	maintainer="Diab Neiroukh <[email protected]>" \
	openssl="QuicTLS" \
	nginx="nginx $NGINX_VERSION"

	EXPOSE 80 443 443/udp

	STOPSIGNAL SIGTERM

	CMD ["nginx", "-g", "daemon off;"]

	# load_module modules/ngx_http_xslt_filter_module.so;
	# load_module modules/ngx_http_image_filter_module.so;
	# load_module modules/ngx_http_geoip_module.so;
	# load_module modules/ngx_http_perl_module.so;
	# load_module modules/ngx_stream_geoip_module.so;
	load_module modules/ngx_http_headers_more_filter_module.so;
	load_module modules/ngx_http_brotli_static_module.so;
	#load_module modules/ngx_http_brotli_filter_module.so;
	load_module modules/ngx_http_js_module.so;

	user nginx;
	worker_processes 1;

	error_log /var/log/nginx/error.log warn;
	pid /var/run/nginx.pid;

	pcre_jit on;

	events {
	worker_connections 1024;
	}

	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	aio threads;

	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;

	keepalive_disable msie6;

	ssl_dyn_rec_enable on;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ecdh_curve X25519:P-521:P-384;
	ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305\|ECDHE-RSA-CHACHA20-POLY1305\|ECDHE-ECDSA-AES256-GCM-SHA384\|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 15m;
	ssl_session_tickets off;

	http2 on;
	http3 on;
	quic_retry on;
	ssl_early_data on;

	gzip_static on;
	gzip on;
	gzip_comp_level 5;
	gzip_min_length 512;
	gzip_proxied any;
	gzip_vary on;
	gzip_disable "msie6";
	gzip_types
	text/plain
	text/css
	text/x-component
	text/javascript application/javascript application/x-javascript
	text/xml application/xml application/rss+xml
	application/json
	application/vnd.ms-fontobject
	font/truetype font/opentype
	image/svg+xml;

	brotli_static on;
	#brotli on;
	#brotli_comp_level 6;
	#brotli_types
	# text/plain
	# text/css
	# text/x-component
	# text/javascript application/javascript application/x-javascript
	# text/xml application/xml application/rss+xml
	# application/json
	# application/vnd.ms-fontobject
	# font/truetype font/opentype
	# image/svg+xml;

	include /etc/nginx/conf.d/*.conf;
	}
	# Drop requests for unknown hosts
	#
	# If no default server is defined, nginx will use the first found server.
	# To prevent host header attacks, or other potential problems when an unknown
	# servername is used in a request, it's recommended to drop the request
	# returning 444 "no response".

	server {
	listen 80 default_server;
	return 444;
	}

	server {
	listen 443 ssl http2 default_server;
	ssl_reject_handshake on;
	}