Skip to content
⚙️ Built-from-source container image of the NGINX HTTP server
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
glibc
musl
rootfs
tests
LICENSE updated copyright year Feb 2, 2019
README.md

README.md

nginx (Docker image)

Built-from-source container image of the NGINX HTTP server

Available at ricardbejarano/nginx.

Tags

1.15.12-glibc, 1.15.12, glibc, latest (glibc/Dockerfile)

1.15.12-musl, musl (musl/Dockerfile)

Features

  • Super tiny (glibc-based is ~13.2MB and musl-based is ~12.5MB)
  • Built from source, including libraries
  • Built FROM scratch, see the Filesystem section below for an exhaustive list of the image's contents
  • Reduced attack surface (no bash, no UNIX tools, no package manager...)
  • Built with exploit mitigations enabled (see Security)

Building

To build the glibc-based image:

docker build -t nginx:glibc -f glibc/Dockerfile .

To build the musl-based image:

docker build -t nginx:musl -f musl/Dockerfile .

Security

This image attempts to build a secure NGINX Docker image.

It does so by the following ways:

  • downloading and verifying the source code of NGINX and every library it is built with,
  • packaging the image with only those files required during runtime (see Filesystem),
  • by enforcing a series of exploit mitigations (PIE, full RELRO, full SSP, NX and Fortify)

Verifying the presence of exploit mitigations

To check whether a binary in a Docker image has those mitigations enabled, use tests/checksec.sh.

Usage

usage: checksec.sh docker_image executable_path

Docker-based wrapper for checksec.sh.
Requires a running Docker daemon.

Example:

  $ checksec.sh ricardbejarano/nginx:glibc /nginx

  Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image,
  downloads checksec (github.com/slimm609/checksec.sh) and runs it on the
  binary.
  Everything runs inside Docker containers.

Example:

Testing the /nginx binary in ricardbejarano/nginx:glibc:

$ bash tests/checksec.sh ricardbejarano/nginx:glibc /nginx
Downloading ricardbejarano/nginx:glibc...Done!
Extracting ricardbejarano/nginx:glibc:/nginx...Done!
Downloading checksec.sh...Done!
Running checksec.sh:
RELRO        STACK CANARY   NX           PIE           RPATH      RUNPATH      Symbols         FORTIFY   Fortified   Fortifiable   FILE
Full RELRO   Canary found   NX enabled   PIE enabled   No RPATH   No RUNPATH   11563 Symbols   Yes       0           34            /tmp/.checksec-ui8eKi3Q
Cleaning up...Done!

This wrapper script works with any binary in a Docker image. Feel free to use it with any other image.

Other examples:

  • bash tests/checksec.sh debian /bin/bash
  • bash tests/checksec.sh alpine /bin/sh
  • bash tests/checksec.sh nginx /usr/sbin/nginx

Volumes

  • Bind your configuration file at /etc/nginx/nginx.conf.

Filesystem

The images' contents are:

glibc

Based on the glibc implementation of libc. Dynamically linked.

/
├── etc/
│   ├── group/
│   ├── nginx/
│   │   ├── html/
│   │   │   ├── 50x.html
│   │   │   └── index.html
│   │   ├── mime.types
│   │   └── nginx.conf
│   └── passwd
├── lib/
│   └── x86_64-linux-gnu/
│       ├── libc.so.6
│       ├── libcrypt.so.1
│       ├── libdl.so.2
│       ├── libnss_dns.so.2
│       ├── libnss_files.so.2
│       ├── libpthread.so.0
│       └── libresolv.so.2
├── lib64/
│   └── ld-linux-x86-64.so.2
├── nginx
└── tmp/
    └── .keep

musl

Based on the musl implementation of libc. Statically linked.

/
├── etc/
│   ├── group
│   ├── nginx/
│   │   ├── html/
│   │   │   ├── 50x.html
│   │   │   └── index.html
│   │   ├── mime.types
│   │   └── nginx.conf
│   └── passwd
├── nginx
└── tmp/
    └── .keep

License

See LICENSE.

You can’t perform that action at this time.