Last active
July 26, 2025 16:03
-
-
Save nginx-gists/36e97fc87efb5cf0039978c8e41a34b5 to your computer and use it in GitHub Desktop.
Dockerfiles for NGINX Plus R34 (Debian bookworm -12- and Alpine Linux 3.21), from Deploying NGINX and NGINX Plus on Docker (https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ARG RELEASE=bookworm | |
| FROM debian:${RELEASE}-slim | |
| LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>" | |
| # Define NGINX versions for NGINX Plus and NGINX Plus modules | |
| # Uncomment this block and the versioned nginxPackages block in the main RUN | |
| # instruction to install a specific release | |
| # ARG RELEASE | |
| # ENV NGINX_VERSION=34 | |
| # ENV NGINX_PKG_RELEASE=2~${RELEASE} | |
| # ENV NJS_VERSION=0.8.9 | |
| # ENV NJS_PKG_RELEASE=1~${RELEASE} | |
| # ENV OTEL_VERSION=0.1.1 | |
| # ENV OTEL_PKG_RELEASE=1~${RELEASE} | |
| # ENV PKG_RELEASE=1~${RELEASE} | |
| # Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy to the build context | |
| RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ | |
| --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ | |
| --mount=type=secret,id=nginx-jwt,dst=license.jwt \ | |
| set -x \ | |
| # Create nginx user/group first, to be consistent throughout Docker variants | |
| && groupadd --system --gid 101 nginx \ | |
| && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ | |
| && apt-get update \ | |
| && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ | |
| && \ | |
| NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ | |
| NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ | |
| export GNUPGHOME="$(mktemp -d)"; \ | |
| found=''; \ | |
| for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ | |
| for server in \ | |
| hkp://keyserver.ubuntu.com:80 \ | |
| pgp.mit.edu \ | |
| ; do \ | |
| echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ | |
| gpg1 --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ | |
| done; \ | |
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | |
| done; \ | |
| gpg1 --batch --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \ | |
| rm -rf "$GNUPGHOME"; \ | |
| apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ | |
| # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) | |
| # Uncomment any desired module packages to install the latest release or use the versioned package format to specify a release | |
| # For an exhaustive list of supported modules and how to install them, see https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/ | |
| && nginxPackages=" \ | |
| nginx-plus \ | |
| # nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ | |
| # nginx-plus-module-geoip \ | |
| # nginx-plus-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-image-filter \ | |
| # nginx-plus-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-njs \ | |
| # nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ | |
| # nginx-plus-module-otel \ | |
| # nginx-plus-module-otel=${NGINX_VERSION}+${OTEL_VERSION}-${OTEL_PKG_RELEASE} \ | |
| # nginx-plus-module-perl \ | |
| # nginx-plus-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-xslt \ | |
| # nginx-plus-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| " \ | |
| && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ | |
| && mkdir -p /etc/ssl/nginx /etc/nginx \ | |
| && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ | |
| && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ | |
| && cat license.jwt > /etc/nginx/license.jwt \ | |
| && apt-get update \ | |
| && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ | |
| && apt-get remove --purge -y lsb-release \ | |
| && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ | |
| && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ | |
| # Forward request logs to Docker log collector | |
| && ln -sf /dev/stdout /var/log/nginx/access.log \ | |
| && ln -sf /dev/stderr /var/log/nginx/error.log | |
| EXPOSE 80 | |
| STOPSIGNAL SIGQUIT | |
| CMD ["nginx", "-g", "daemon off;"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ARG RELEASE=3.21 | |
| FROM alpine:${RELEASE} | |
| LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>" | |
| # Define NGINX versions for NGINX Plus and NGINX Plus modules | |
| # Uncomment this block and the versioned nginxPackages in the main RUN | |
| # instruction to install a specific release | |
| # ENV NGINX_VERSION=34 | |
| # ENV NGINX_PKG_RELEASE=2 | |
| # ENV NJS_VERSION=0.8.9 | |
| # ENV NJS_PKG_RELEASE=1 | |
| # ENV OTEL_VERSION=0.1.1 | |
| # ENV OTEL_PKG_RELEASE=1 | |
| # ENV PKG_RELEASE=1 | |
| # Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy to the build context | |
| RUN --mount=type=secret,id=nginx-crt,dst=cert.pem \ | |
| --mount=type=secret,id=nginx-key,dst=cert.key \ | |
| --mount=type=secret,id=nginx-jwt,dst=license.jwt \ | |
| set -x \ | |
| # Create nginx user/group first, to be consistent throughout Docker variants | |
| && addgroup -g 101 -S nginx \ | |
| && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ | |
| # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) | |
| # Uncomment any desired module packages to install the latest release or use the versioned package format to specify a release | |
| # For an exhaustive list of supported modules and how to install them, see https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/ | |
| && nginxPackages=" \ | |
| nginx-plus \ | |
| # nginx-plus=${NGINX_VERSION}-r${NGINX_PKG_RELEASE} \ | |
| # nginx-plus-module-geoip \ | |
| # nginx-plus-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-image-filter \ | |
| # nginx-plus-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-njs \ | |
| # nginx-plus-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_PKG_RELEASE} \ | |
| # nginx-plus-module-otel \ | |
| # nginx-plus-module-otel=${NGINX_VERSION}.${OTEL_VERSION}-r${OTEL_PKG_RELEASE} \ | |
| # nginx-plus-module-perl \ | |
| # nginx-plus-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-xslt \ | |
| # nginx-plus-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| " \ | |
| KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ | |
| && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ | |
| && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ | |
| echo "key verification succeeded!"; \ | |
| mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ | |
| else \ | |
| echo "key verification failed!"; \ | |
| exit 1; \ | |
| fi \ | |
| && cat cert.pem > /etc/apk/cert.pem \ | |
| && cat cert.key > /etc/apk/cert.key \ | |
| && apk add -X "https://pkgs.nginx.com/plus/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ | |
| && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ | |
| && if [ -f "/etc/apk/cert.key" ] && [ -f "/etc/apk/cert.pem" ]; then rm -f /etc/apk/cert.key /etc/apk/cert.pem; fi \ | |
| && cat license.jwt > /etc/nginx/license.jwt \ | |
| # Bring in tzdata so users could set the timezones through the environment variables | |
| && apk add --no-cache tzdata \ | |
| # Bring in curl and ca-certificates to make registering on DNS SD easier | |
| && apk add --no-cache curl ca-certificates \ | |
| # Forward request and error logs to Docker log collector | |
| && ln -sf /dev/stdout /var/log/nginx/access.log \ | |
| && ln -sf /dev/stderr /var/log/nginx/error.log | |
| EXPOSE 80 | |
| STOPSIGNAL SIGQUIT | |
| CMD ["nginx", "-g", "daemon off;"] | |
| # vim:syntax=Dockerfile |
Author
For a discussion of these files, see Deploying NGINX and NGINX Plus with Docker
I have enabled nginx-plus-module-njs in alpine.Dockerfile ( Line number 34 and 35 ). It is throwing the below error. Can you help?
#0 2.585 + egrep -o '^[0-9]+.[0-9]+' /etc/alpine-release
#0 2.585 + apk add -X https://pkgs.nginx.com/plus/alpine/v3.17/main --no-cache nginx-plus nginx-plus-module-njs 'nginx-plus-module-njs=.-'
#0 2.589 fetch https://pkgs.nginx.com/plus/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#0 3.290 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#0 3.786 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
#0 4.466 ERROR: 'nginx-plus-module-njs=.-' is not a valid world dependency, format is name(@tag)([<>~=]version)
alpine.Dockerfile:19
I would uncomment only L34. L35 only works if you specify the version you want to install in L8-L10 :)
I would uncomment only L34. L35 only works if you specify the version you want to install in L8-L10 :)
Thanks for responding. I have tried the same but no luck.
ERROR: 'nginx-plus-module-njs=28.0.7.9-1' is not a valid world dependency, format is name(@tag)([<>~=]version)
Thanks for testing it out! You did indeed find a bug! I pushed a fix, the new Dockerfile for Alpine should work as intended 😄
I can successfully build now. Thank you !!
hi @alessfg and @thresheek, perhaps "ENV NJS_VERSION 0.7.9" should be updated to 0.7.12, thanks!
The NGINX Plus release also needs to be updated! I'll hopefully get to this before end of next week (I have a hefty backlog this week 😄)
thanks @alessfg, @thresheek ! and here's one more update request -
perhaps, the signing key needs to be changed
from https://nginx.org/keys/nginx_signing.rsa.pub
to https://cs.nginx.com/static/keys/nginx_signing.rsa.pub
(the gist is also used for NGINX Plus in https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker/)
Dockerfiles have been updated! Sorry for the delay, it's been a crazy month!
Hi
the code for handeling the secrect could use some cleaning
with this patch you do not need to move and remove them during build
18,19c18,19
< RUN --mount=type=secret,id=nginx-crt,dst=cert.pem \
< --mount=type=secret,id=nginx-key,dst=cert.key \
---
> RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem \
> --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key \
52,53d51
< && cat cert.pem > /etc/apk/cert.pem \
< && cat cert.key > /etc/apk/cert.key \
56d53
< && if [ -f "/etc/apk/cert.key" ] && [ -f "/etc/apk/cert.pem" ]; then rm -f /etc/apk/cert.key /etc/apk/cert.pem; fi \
also the code for the signing key could be cleaner
no need for moving it
also is there a need to remove the nginx_signing.rsa.pub
in case I what to use this image as FROM to include more modules i a diffrent image
44,45c44,45
< && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
< && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
---
> && wget -O /etc/apk/keys/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
> && if echo "$KEY_SHA512 */etc/apk/keys/nginx_signing.rsa.pub" | sha512sum -c -; then \
47d46
< mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
52,53d50
< && cat cert.pem > /etc/apk/cert.pem \
< && cat cert.key > /etc/apk/cert.key \
55,56d51
< && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
Hey @zombiedk! Sorry for the late reply!
Removing the certs and signing key is a conscious decision. Your first suggestion does make some level of sense, I'll think about it! Right now the idea is for both Dockerfiles to follow as similar a pattern as possible between them.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated gists are on the way @PMExtra 😄