docker-php icon indicating copy to clipboard operation
docker-php copied to clipboard
verified publisher icon serversideup

Use ondrej/nginx and brotli

Open spyridonas opened this issue 2 years ago • 6 comments

Since you are using the php ondrej repos , might as well use the nginx ones too. The ppa of ondrej/nginx has more features and is up to date with the stable version of nginx. More specifically it includes support for Brotli. This PR installs the nginx from ondrej and enables the Brotli support for all compatible types.

spyridonas avatar Jun 12 '23 08:06 spyridonas

Thanks for chiming in!

Can you explain the benefits of Brotli? I've heard of it, but never used it before 😃

jaydrogers avatar Jun 12 '23 14:06 jaydrogers

It's basically a faster / better gzip, developed by Google. It produces smaller files and thus a faster website ! It produces approximately ~14% smaller js files, ~21% smaller HTML files and 17% smaller CSS and in some cases the overall front-end decompression is up to 64% faster than gzip ! (according to https://www.siteground.com/blog/brotli-vs-gzip-compression/ )

spyridonas avatar Jun 12 '23 14:06 spyridonas

Thanks for the update! I haven't forgotten about this.

I had a related discussion on this today...

Any thoughts on installing NGINX from the official repo vs Ondrej's?

jaydrogers avatar Jun 19 '23 16:06 jaydrogers

Unfortunately the official repos don't have brotli. It's possible to build the brotli addon from source though, if you prefer that I will be glad to update the pr

spyridonas avatar Jun 19 '23 16:06 spyridonas

No problem! Let's just sit tight with it "as-is" for now.

I like where this is going, but I was just asking because I honestly just didn't know 😃

Some background on this

I had a security notice come in over the weekend, suggesting to upgrade to NGINX 1.20+ (https://nvd.nist.gov/vuln/detail/CVE-2021-23017). Our images run 1.18.0 from the official Ubuntu packages.

After further research, Canonical seems to back port security fixes into different version numbers (https://ubuntu.com/security/CVE-2021-23017)

I thought that was an odd practice to keep a separate version number (especially an older one).

Next steps

I like your approach, but I have some other things ahead of this before I will be able to merge this. Let me get through those items first and I will get back to you on this 👍

jaydrogers avatar Jun 19 '23 16:06 jaydrogers

In the mean time, to enable Brotli using the nginx image, I did the following in my Dockerfile:

# Compile nginx from source with brotli module 
FROM serversideup/php:8.2-fpm-nginx as brotli

ENV NGINX_VERSION 1.18.0

RUN apt update
RUN apt-get install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev \
libssl-dev libgd-dev libxml2 libxml2-dev uuid-dev libxslt-dev wget git

RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
RUN tar -xzvf nginx-${NGINX_VERSION}.tar.gz
RUN git clone https://github.com/google/ngx_brotli.git --recursive
RUN cd nginx-${NGINX_VERSION} && \
./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-d8gVax/nginx-${NGINX_VERSION}=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-compat --add-dynamic-module=../ngx_brotli && \
make modules && \
cp objs/ngx_http_brotli_filter_module.so /ngx_http_brotli_filter_module.so && \
cp objs/ngx_http_brotli_static_module.so /ngx_http_brotli_static_module.so


FROM serversideup/php:8.2-fpm-nginx
...
# Copy the brotli module from the previous build step
COPY --from=brotli ngx_http_brotli_filter_module.so /usr/lib/nginx/modules
COPY --from=brotli ngx_http_brotli_static_module.so /usr/lib/nginx/modules
RUN sed  -i '1i load_module modules/ngx_http_brotli_filter_module.so;' /etc/nginx/nginx.conf
RUN sed  -i '1i load_module modules/ngx_http_brotli_static_module.so;' /etc/nginx/nginx.conf

COPY brotli.conf /etc/nginx/conf.d/brotli.conf

Naghal avatar Jul 19 '23 20:07 Naghal

I had to close this because there were so many changes since this PR. If there is a good community movement demanding this feature, I would definitely re-approach getting this added: https://github.com/serversideup/docker-php/discussions/66

jaydrogers avatar Sep 23 '24 19:09 jaydrogers