updated: dependencies, FreeNGINX release 1.27.5 and OpenSSL 3.5 with QUIC support

Author: ammnt

.github/workflows/build.yml

@@ -10,7 +10,7 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  APP_VERSION: 1.27.4
+  APP_VERSION: 1.27.5
 
 jobs:
   build:
@@ -30,7 +30,7 @@ jobs:
       - name: Install cosign🔒
         uses: sigstore/cosign-installer@v3.8.1
         with:
-          cosign-release: "v2.4.3"
+          cosign-release: "v2.5.0"
 
       - name: Setup Docker buildx🛠️
         uses: docker/setup-buildx-action@v3.10.0

Dockerfile

@@ -1,8 +1,8 @@
 ARG BASE_VERSION=3.21.3
 ARG BASE_HASH=a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
 FROM docker.io/library/alpine:${BASE_VERSION}@sha256:${BASE_HASH} AS builder
-ARG OPENSSL_VERSION=openssl-3.4.1
-ARG APP_VERSION=release-1.27.4
+ARG OPENSSL_VERSION=openssl-3.5.0
+ARG APP_VERSION=release-1.27.5
 ARG NJS_VERSION=0.8.9
 ARG PCRE_VERSION=pcre2-10.45
 ARG ZLIB_VERSION=v1.3.1
@@ -59,7 +59,7 @@ RUN set -ex \
     --with-openssl-opt=no-ssl3 \
     --with-openssl-opt=no-shared \
     --with-openssl-opt=no-weak-ssl-ciphers \
-    --with-openssl-opt=no-tls-deprecated-ec \
+    --with-openssl-opt=enable-quic \
     --with-pcre=/tmp/pcre2 \
     --with-zlib=/tmp/zlib \
     --with-cpu-opt="generic" \
@@ -95,7 +95,6 @@ RUN set -ex \
     --with-ld-opt="-Wl,-z,now" \
     --with-ld-opt="-pie" \
     --with-ld-opt="-Wl,--gc-sections" \
-    --with-file-aio \
     --with-compat \
     --with-pcre-jit \
     --with-threads \

README.md

@@ -1,7 +1,7 @@
 # Distroless FreeNGINX with HTTP/3 and QUIC support🚀
 
 [![Build and push image📦](https://github.com/ammnt/freenginx/actions/workflows/build.yml/badge.svg)](https://github.com/ammnt/freenginx/actions/workflows/build.yml)
-![version](https://img.shields.io/badge/version-1.27.4-blue)
+![version](https://img.shields.io/badge/version-1.27.5-blue)
 [![GitHub issues open](https://img.shields.io/github/issues/ammnt/freenginx.svg)](https://github.com/ammnt/freenginx/issues)
 ![GitHub Maintained](https://img.shields.io/badge/open%20source-yes-orange)
 ![GitHub Maintained](https://img.shields.io/badge/maintained-yes-yellow)

freenginx_http3.conf

@@ -1,4 +1,4 @@
-# This is an example of a configuration file for enabling QUIC and HTTP3. Further configuration is required.
+# This is an example of a configuration file for enabling QUIC, HTTP3 and "A+" SSL tests rating. Further configuration is required.
 worker_processes auto;
 worker_rlimit_nofile 65536;
 pid /tmp/freenginx.pid;
@@ -17,14 +17,24 @@ http {
     aio threads;
     tcp_nopush on;
     tcp_nodelay on;
-    reset_timedout_connection on;
-    send_timeout 2;
-    client_body_timeout 60;
-    client_body_buffer_size 10M;
-    client_max_body_size 10M;
-    keepalive_timeout 60;
+    reset_timedout_connection off;
+    send_timeout 60s;
+    client_body_timeout 120s;
+    client_body_buffer_size 16M;
+    client_max_body_size 20M;
+    keepalive_timeout 30s;
     server_tokens off;
     types_hash_max_size 4096;
+    proxy_buffering on;
+    proxy_buffer_size 32k;
+    proxy_busy_buffers_size 64k;
+    proxy_buffers 512 8k;
+    proxy_max_temp_file_size 0;
+    proxy_intercept_errors on;
+    proxy_read_timeout 300s;
+    proxy_connect_timeout 60s;
+    proxy_send_timeout 60s;
+    fastcgi_read_timeout 300s;
     http2 on;
     http3 on;
     ssl_early_data on;
@@ -47,6 +57,7 @@ http {
     ssl_ocsp on;
     ssl_ocsp_cache shared:ocspSSL:60m;
     ssl_verify_depth 2;
+    resolver 1.1.1.1 8.8.8.8 ipv6=off valid=300s;
     resolver_timeout 300s;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
     add_header X-Content-Type-Options nosniff;
@@ -126,45 +137,36 @@ http {
     proxy_temp_path /tmp/proxy_temp_path;
     fastcgi_temp_path /tmp/fastcgi_temp;
 
-    proxy_buffering on;
-    proxy_buffer_size 16k;
-    proxy_busy_buffers_size 24k;
-    proxy_buffers 384 4k;
-    proxy_max_temp_file_size 0;
-
     server {
-    listen 8080 default_server fastopen=256;
-    listen [::]:8080 default_server fastopen=256;
-    listen 8443 default_server quic reuseport;
-    listen [::]:8443 default_server quic reuseport;
-    listen 8443 default_server ssl fastopen=256;
-    listen [::]:8443 default_server ssl fastopen=256;
-    server_name test.example.com;
+        listen 8080 default_server fastopen=256;
+        listen 8443 default_server quic reuseport;
+        listen 8443 default_server ssl fastopen=256;
+        server_name test.example.com;
 
-    if ($scheme = http) {
-        return 308 https://test.example.com$request_uri;
-    }
-    if ($host = 'www.test.example.com') {
-        rewrite ^/(.*)$ https://test.example.com/$1 permanent;
-    }
-    if ($host != 'test.example.com') {
-        return 308 https://test.example.com$request_uri;
-    }
-    if ($request_method !~ ^(GET|POST|PUT)$) {
-        return '405';
-    }
+        if ($scheme = http) {
+            return 308 https://test.example.com$request_uri;
+        }
+        if ($host = 'www.test.example.com') {
+            rewrite ^/(.*)$ https://test.example.com/$1 permanent;
+        }
+        if ($host != 'test.example.com') {
+            return 308 https://test.example.com$request_uri;
+        }
+        if ($request_method !~ ^(GET|POST|PUT)$) {
+            return '405';
+        }
 
-    location / {
-      root /var/www/html;
-      index index.html index.htm;
+        location / {
+        root /var/www/html;
+        index index.html index.htm;
 
-      limit_except GET POST PUT {
-      deny all;
-      }
-    }
+        limit_except GET POST PUT {
+        deny all;
+        }
+        }
 
-    location /robots.txt {
-        return 200 "User-agent: *\nDisallow: /\n";
+        location /robots.txt {
+            return 200 "User-agent: *\nDisallow: /\n";
+        }
     }
-  }
 }