2026

- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown

.gitea/workflows/build-publish.yml

@@ -0,0 +1,289 @@
+# =============================================================================
+# build-and-publish
+#
+# Compiles a custom nginx (with ModSecurity, naxsi, lua, brotli, geoip2, etc.),
+# packages the result as a Debian .deb named `twiy`, and uploads it to a
+# Sonatype Nexus apt-hosted repository so users can install via `apt`.
+#
+# Triggers:
+#   * Every push to master.
+#   * Manual run from the Actions UI (workflow_dispatch).
+#
+# Required repository secrets (see the "Publish to Nexus" step for details):
+#   NEXUS_USER, NEXUS_PASS, NEXUS_URL, NEXUS_REPO
+# =============================================================================
+name: build-and-publish
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  build:
+    # Pinned to ubuntu-22.04 because the build script targets the toolchain
+    # versions that ship with that release. Bumping this needs validation
+    # against the modules pinned in /version.
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          set -euo pipefail
+          # Minimal toolchain to: build nginx (build-essential), package the
+          # output (dpkg-dev, fakeroot), and fetch sources (git, curl, wget).
+          # gnupg is kept in case a future step needs to verify upstream sigs.
+          sudo apt-get update -y
+          sudo apt-get install -y --no-install-recommends \
+            git curl wget ca-certificates dpkg-dev fakeroot \
+            build-essential gnupg
+
+      - name: Compile nginx and modules
+        run: |
+          set -euo pipefail
+          # Touch /.dockerenv so build/run.sh's container-detection branch is
+          # taken: it skips `systemctl start nginx` (the runner has no systemd).
+          # The .deb's own postinst handles service start on the user's host.
+          sudo touch /.dockerenv
+          sudo bash build/run.sh new      # download sources for nginx + modules
+          sudo bash build/run.sh build    # configure, compile, install
+          sudo bash build/run.sh postfix  # drop default configs into /nginx
+
+      # ─────────────────────────────────────────────────────────────────────────
+      # Assemble the .deb by hand (we don't use debhelper because the build
+      # script already places everything at its final paths under the runner's
+      # root; we just need to mirror those paths into PKG_DIR and add control
+      # metadata).
+      # ─────────────────────────────────────────────────────────────────────────
+      - name: Assemble .deb package
+        id: pkg
+        run: |
+          set -euo pipefail
+          PKG_NAME="twiy"
+          NGINX_VER="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
+          # Append the CI run number as the Debian revision so each rebuild
+          # produces a strictly-greater version (e.g. 1.26.0-3 > 1.26.0-2 >
+          # 1.26.0). Without this, `apt upgrade twiy` would be a no-op when
+          # upstream nginx hasn't moved, so packaging fixes wouldn't reach
+          # users who already have the package installed.
+          VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}"
+          ARCH="amd64"
+          PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
+          DEB_DIR="${PKG_DIR}/DEBIAN"
+
+          # The `*_temp` dirs under /usr/local/nginx are nginx's compiled-in
+          # defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
+          # storage (no --http-*-temp-path was passed to ./configure). They
+          # must exist before `nginx -t` runs, so we ship them empty in the
+          # .deb and the postinst chowns them to the nginx user.
+          sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
+                        "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
+                        "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
+                        "${PKG_DIR}/hostdata/default/public_html" \
+                        "${PKG_DIR}/usr/nginx_lua" \
+                        "${PKG_DIR}/usr/local/nginx/client_body_temp" \
+                        "${PKG_DIR}/usr/local/nginx/proxy_temp" \
+                        "${PKG_DIR}/usr/local/nginx/fastcgi_temp" \
+                        "${PKG_DIR}/usr/local/nginx/uwsgi_temp" \
+                        "${PKG_DIR}/usr/local/nginx/scgi_temp"
+
+          # Pull every artifact the build produced into the package tree.
+          # `|| true` on the recursive copies tolerates a missing source dir
+          # (e.g. when rebuilding without re-running postfix locally).
+          sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
+          sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
+          sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
+          sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
+          sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
+
+          # Bundle every shared library nginx links against. This makes the
+          # package self-contained: users don't need our exact build-host
+          # versions of libssl, libluajit, libmodsecurity, etc. The grep
+          # filters out the vDSO and the dynamic linker (which never appear
+          # as `=> /...`).
+          for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
+            sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
+          done
+
+          # ---- DEBIAN/control --------------------------------------------------
+          # Minimum metadata dpkg requires. The .deb bundles every shared library
+          # nginx links against (see the ldd loop above), so the only Depends we
+          # declare is libjemalloc2 — the systemd unit LD_PRELOADs it for the
+          # nginx workers; without it, the unit would fail to start.
+          sudo mkdir -p "${DEB_DIR}"
+          sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
+          Package: ${PKG_NAME}
+          Version: ${VERSION}
+          Section: base
+          Priority: optional
+          Architecture: ${ARCH}
+          Depends: libjemalloc2
+          Maintainer: Julio <me@julio.al>
+          Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
+          EOF
+
+          # ---- DEBIAN/postinst -------------------------------------------------
+          # Runs after dpkg unpacks the files. Designed to be safe to re-run:
+          # `apt install --reinstall twiy` and `apt upgrade twiy` both invoke
+          # this script and must not fail.
+          #
+          # Every step that may legitimately fail on a re-run (user already
+          # exists, service already enabled, host has no systemd, etc.) ends
+          # in `|| true`, and we `exit 0` explicitly so a flaky systemctl
+          # never aborts a dpkg transaction.
+          sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
+          #!/bin/bash
+          # Idempotent: safe on first install, upgrade, and reinstall.
+
+          # System user nginx workers run as. -r = system account (no aging,
+          # UID below SYS_UID_MAX), no shell, home set to nginx's prefix.
+          useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
+
+          # nginx was compiled without --http-*-temp-path, so it defaults to
+          # <prefix>/<name> (/usr/local/nginx/client_body_temp etc.). The dirs
+          # already ship in the .deb, but `install -d` is the cleanest way to
+          # set owner/group/mode in one shot and is a no-op when the dir
+          # already exists with the right attributes.
+          install -d -o nginx -g nginx -m 0755 \
+            /usr/local/nginx \
+            /usr/local/nginx/client_body_temp \
+            /usr/local/nginx/proxy_temp \
+            /usr/local/nginx/fastcgi_temp \
+            /usr/local/nginx/uwsgi_temp \
+            /usr/local/nginx/scgi_temp \
+            /var/log/nginx
+
+          # Recursive chown picks up any user-supplied configs already under
+          # /nginx (vhosts, certs) so reloads don't trip on permissions.
+          chown -R nginx:nginx /var/log/nginx /nginx /usr/local/nginx 2>/dev/null || true
+
+          # Refresh systemd's view of unit files we just dropped, then bring
+          # the service up. `restart` (rather than `start`) handles the case
+          # where a previous broken install left the unit failed.
+          systemctl daemon-reload 2>/dev/null || true
+          systemctl enable nginx.service 2>/dev/null || true
+          systemctl restart nginx.service 2>/dev/null || true
+          exit 0
+          EOF
+          sudo chmod 755 "${DEB_DIR}/postinst"
+
+          # Build the .deb and hand ownership back to the runner user so the
+          # next step can read it without sudo.
+          sudo dpkg-deb --build "${PKG_DIR}"
+          DEB_FILE="${PKG_DIR}.deb"
+          sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"
+
+          {
+            echo "deb_file=${DEB_FILE}"
+            echo "version=${VERSION}"
+            echo "pkg_name=${PKG_NAME}"
+          } >> "$GITHUB_OUTPUT"
+
+          ls -la "${DEB_FILE}"
+          sha256sum "${DEB_FILE}"
+
+      # ─────────────────────────────────────────────────────────────────────────
+      # Publish the built .deb to a Sonatype Nexus apt-hosted repository.
+      #
+      # Threat model for this step (the workflow file is public):
+      #   * Credentials come exclusively from repository secrets, never source.
+      #   * Credentials must never appear in argv (visible via /proc/<pid>/cmdline
+      #     to any local user) or in the runner's persistent filesystem.
+      #   * If the job is cancelled or killed, secrets must still be wiped.
+      #
+      # To run this in your own fork, set four repository secrets:
+      #   NEXUS_USER  — Nexus account with write access to the apt repo
+      #   NEXUS_PASS  — its password (or token)
+      #   NEXUS_URL   — base URL, e.g. https://apt.example.com
+      #   NEXUS_REPO  — the apt-hosted repository name in Nexus
+      # ─────────────────────────────────────────────────────────────────────────
+      - name: Publish to Nexus
+        env:
+          NEXUS_USER: ${{ secrets.NEXUS_USER }}
+          NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
+          NEXUS_URL:  ${{ secrets.NEXUS_URL }}
+          NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
+          DEB_FILE:   ${{ steps.pkg.outputs.deb_file }}
+          PKG_NAME:   ${{ steps.pkg.outputs.pkg_name }}
+        run: |
+          set -euo pipefail
+          umask 077  # any file we create is rw for us only
+
+          # ---- Secret-handling scratch dir ------------------------------------
+          # /dev/shm is tmpfs (RAM-backed). Even if the runner's disk is later
+          # imaged or recovered, secrets written here never touch persistent
+          # storage. Fall back to /tmp on minimal images that lack /dev/shm.
+          SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
+                    || mktemp -d -t twiy-XXXXXXXX)"
+          chmod 700 "$SECDIR"
+
+          # Trap covers normal exit, errors (set -e), and the common cancellation
+          # signals Gitea / GitHub send when a job is cancelled or times out.
+          # `shred -uz` overwrites then unlinks; on tmpfs the overwrite is mostly
+          # symbolic, but it's free defence-in-depth in case /dev/shm wasn't
+          # available and we fell back to a disk-backed /tmp.
+          cleanup() {
+            find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
+            rm -rf "$SECDIR"
+          }
+          trap cleanup EXIT INT TERM HUP
+
+          # ---- Build the netrc -------------------------------------------------
+          # Why netrc and not `curl -u user:pass`:
+          #   - `-u` puts the password in argv; any local user can read it from
+          #     /proc/<pid>/cmdline while the curl is in flight.
+          #   - netrc is a 0600 file curl reads itself; the password never
+          #     appears on a command line.
+          # Why `printf` (a bash builtin): builtins don't fork an external
+          # process, so the password is never an argv to any executable.
+          # The host string in netrc must match the URL host exactly, so we
+          # derive it from $NEXUS_URL rather than hardcoding it — this lets
+          # forks reuse the workflow without editing it.
+          NEXUS_HOST="$(printf '%s' "$NEXUS_URL" | awk -F/ '{print $3}')"
+          printf 'machine %s login %s password %s\n' \
+                 "$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
+          # Drop the in-memory copies now that the file is the source of truth.
+          unset NEXUS_USER NEXUS_PASS
+
+          # ---- Replace any prior version of this package -----------------------
+          # Nexus's apt-hosted format keeps every uploaded .deb forever unless we
+          # explicitly delete the old component. Without this, the repo grows
+          # unboundedly and `apt` may pick a stale version. Best-effort: a
+          # missing prior component is not an error.
+          OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
+                    "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
+                    | PKG_NAME="$PKG_NAME" python3 -c '
+          import sys, json, os
+          for c in json.load(sys.stdin).get("items", []):
+              if c.get("name") == os.environ["PKG_NAME"]:
+                  print(c["id"]); break
+          ' || true)"
+          if [ -n "$OLD_ID" ]; then
+            curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
+                 "$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
+          fi
+
+          # ---- Upload the new .deb --------------------------------------------
+          # Body goes to a file inside SECDIR so the trap shreds it too — Nexus
+          # error responses sometimes echo request metadata we'd rather not
+          # leave on disk.
+          HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
+                  -o "$SECDIR/upload.body" -w '%{http_code}' \
+                  -X POST -F "apt.asset=@$DEB_FILE" \
+                  "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
+          case "$HTTP" in
+            201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
+            *) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
+          esac
+
+          # ---- Why we don't sign each .deb ourselves ---------------------------
+          # apt's trust chain on the client is:
+          #   Release.gpg  →  Packages (verified by SHA256 in Release)
+          #                →  the .deb  (verified by SHA256 in Packages)
+          # Signing the Release file is enough; per-.deb signatures are not
+          # consulted by apt during install. Nexus signs Release on every
+          # upload using a key bound at repo-creation time, and that private
+          # key never leaves the Nexus host — so we deliberately keep all
+          # signing material off the CI runner.

.github/workflows/main.yml

@@ -1,105 +0,0 @@
-name: Build and Publish NGINX
-
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
-
-jobs:
-  build:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-      
-    - name: Install dependencies
-      run: |
-        sudo apt-get update
-        sudo apt-get -y install git dpkg-dev
-
-    - name: Clone the repository
-      run: |
-        cd $HOME
-        git clone https://github.com/theraw/The-World-Is-Yours.git
-        cd The-World-Is-Yours/
-
-    - name: Build NGINX
-      run: |
-        cd $HOME/The-World-Is-Yours/
-        sudo bash build/run.sh new
-        sudo bash build/run.sh build
-        sudo bash build/run.sh postfix
-
-    - name: Build .deb Package
-      id: build_deb
-      run: |
-        cd $HOME/The-World-Is-Yours/
-        sudo bash -c 'function create_deb() {
-            PKG_NAME="twiy"
-            VERSION=$(nginx -v 2>&1 | awk -F"/" "{print \$2}")
-            ARCH="amd64"
-            PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
-            DEB_DIR="${PKG_DIR}/DEBIAN"
-            mkdir -p ${PKG_DIR}/usr/sbin
-            mkdir -p ${PKG_DIR}/usr/local/nginx
-            mkdir -p ${PKG_DIR}/nginx
-            mkdir -p ${PKG_DIR}/etc/systemd/system
-            mkdir -p ${PKG_DIR}/var/log/nginx
-            mkdir -p ${PKG_DIR}/nginx/conf.d
-            mkdir -p ${PKG_DIR}/nginx/live
-            mkdir -p ${PKG_DIR}/nginx/modsec
-            mkdir -p ${PKG_DIR}/usr/lib
-            mkdir -p ${PKG_DIR}/usr/local/lib
-            mkdir -p ${PKG_DIR}/hostdata/default/public_html
-            mkdir -p ${PKG_DIR}/usr/nginx_lua
-            cp /usr/sbin/nginx ${PKG_DIR}/usr/sbin/
-            cp -R /nginx/* ${PKG_DIR}/nginx/
-            cp /etc/systemd/system/nginx.service ${PKG_DIR}/etc/systemd/system/
-            cp -R /hostdata/default ${PKG_DIR}/hostdata/
-            cp -R /usr/nginx_lua ${PKG_DIR}/usr/
-            for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
-                cp "$lib" "${PKG_DIR}/usr/lib/"
-            done
-            for module in /opt/mod/*; do
-                if [ -f "$module" ]; then
-                    for lib in $(ldd "$module" | grep "=> /" | awk "{print \$3}"); do
-                        cp "$lib" "${PKG_DIR}/usr/lib/"
-                    done
-                fi
-            done
-            mkdir -p ${DEB_DIR}
-            echo "Package: ${PKG_NAME}" > ${DEB_DIR}/control
-            echo "Version: ${VERSION}" >> ${DEB_DIR}/control
-            echo "Section: base" >> ${DEB_DIR}/control
-            echo "Priority: optional" >> ${DEB_DIR}/control
-            echo "Architecture: ${ARCH}" >> ${DEB_DIR}/control
-            echo "Maintainer: Julio <me@julio.al>" >> ${DEB_DIR}/control
-            echo "Description: Nginx L7 DDoS Protection! And many more features github.com/theraw/The-World-Is-Yours" >> ${DEB_DIR}/control
-            echo "#!/bin/bash" > ${DEB_DIR}/postinst
-            echo "useradd -r -d /usr/local/nginx -s /bin/false nginx || true" >> ${DEB_DIR}/postinst
-            chmod 755 ${DEB_DIR}/postinst
-            chmod -R 0755 ${DEB_DIR}
-            dpkg-deb --build ${PKG_DIR}
-            mv ${PKG_DIR}.deb /opt/${PKG_NAME}_${VERSION}_${ARCH}.deb
-            echo "Debian package created at /opt/${PKG_NAME}_${VERSION}_${ARCH}.deb"
-            echo "::set-output name=VERSION::${VERSION}"
-        }; create_deb'
-
-    - name: Create Git Tag
-      run: |
-        VERSION=${{ steps.build_deb.outputs.VERSION }}
-        git config user.name "theraw"
-        git config user.email "me@julio.al"
-        git tag v$VERSION
-        git push origin v$VERSION
-
-    - name: Upload .deb Package as Release Asset
-      uses: softprops/action-gh-release@v2
-      with:
-        files: /opt/*.deb
-        tag_name: v${{ steps.build_deb.outputs.version }}
-      env:
-        GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }}

.gitignore

@@ -0,0 +1,10 @@
+.claude/
+.codex
+.env
+.creds
+.workers
+.local
+Dockerfile
+docker-compose.yaml
+docker-compose.yml
+PENDING_*.md

README.md

@@ -2,17 +2,26 @@
 
 ![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
 
-- [x] Support Ubuntu 22.04
+- [x] Debian 13 (trixie) supported
-- [x] Latest Nginx 1.26.0
+- [x] nginx 1.30.0
-- [x] HTTP/3
+- [x] HTTP/3 (QUIC) via AWS-LC
-- [x] ModSecurity Support.
+- [x] ModSecurity v3 (libmodsecurity)
-- [x] Naxsi Support.
+- [x] Naxsi
-- [x] Lua Support.
+- [x] Lua (LuaJIT 2.1)
-- [x] Cookie Based Challenge.
+- [x] Cookie-based challenge
-- [x] [Versions List](https://github.com/theraw/The-World-Is-Yours/blob/master/version)
+- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
 
 ## Easy install 
-(This is beta please create an issue if any errors) Download .deb from https://github.com/theraw/The-World-Is-Yours/releases
+```bash
+  sudo install -d /etc/apt/keyrings
+  sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
+    -o /etc/apt/keyrings/raweb.asc
+
+  echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
+    | sudo tee /etc/apt/sources.list.d/raweb.list
+
+  sudo apt update && sudo apt install twiy
+```
 
 ## Compile from source
 ```bash
@@ -58,6 +67,20 @@ cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
 nginx -s reload
 ```
 
+## Performance
+
+
+### vs. vanilla nginx (same version, default config)
+
+| Area | Twiy | Vanilla nginx | Why |
+|---|---|---|---|
+| TLS handshake throughput | **+5–15%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
+| Static file throughput | **2–5×** | baseline | `open_file_cache` (off by default in vanilla) |
+| TLS resumed handshakes | **~10× CPU saving** | baseline | 200 MB shared session cache vs none |
+| Per-handshake latency (cold) | **−50–200 ms p95** | baseline | OCSP stapling on by default |
+| Compressed-text bandwidth | **−60 to −80%** | unchanged | brotli + gzip enabled in `http {}` |
+| WAF, Lua, HTTP/3 | included | not included | needs custom build |
+
 # Support options.
 
 - No free support for how to do things, please don't spam with questions in discord.

build/run.sh

@@ -6,8 +6,8 @@ function reqs() {
     # apt-get purge nftables firewalld ufw -y; apt-get autoremove -y
     apt-get -y install wget zip unzip build-essential libssl-dev curl nano git
     # apt-get -y install iptables ipset
-    apt-get install libtool pkg-config make cmake automake autoconf -y
+    apt-get install libtool pkg-config make cmake automake autoconf golang-go ninja-build -y
-    apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev libpcre3-dev mercurial libpcre2-dev libc-ares-dev libre2-dev -y
+    apt-get install libyajl-dev ssdeep zlib1g-dev libxslt1-dev libgd-dev libgeoip-dev liblmdb-dev libfuzzy-dev libmaxminddb-dev liblua5.1-dev libcurl4-openssl-dev libxml2 libxml2-dev mercurial libpcre2-dev libc-ares-dev libre2-dev libzstd-dev libjemalloc2 -y
     mkdir -p $LUA_SCRIPTS
 }
 function clean_install() {
@@ -21,10 +21,23 @@ function clean_install() {
 
     # START OF SYSTEM REQUIRED LIBS
     # ============================================================================================================
-    # OPENSSL
+    # AWS-LC — TLS+QUIC backend. Replaces quictls/openssl. Built standalone
-    if [ ! -d /opt/mod/openssl-opernssl-${SYSTEM_OPENSSL} ]; then
+    # (cmake+ninja) and installed to /usr/local/aws-lc/. nginx 1.29.2+ links
-        cd /opt/mod; wget https://github.com/quictls/openssl/archive/refs/tags/opernssl-${SYSTEM_OPENSSL}.tar.gz
+    # against it via -I/-L; we no longer pass --with-openssl=PATH because we
-        cd /opt/mod && tar xf opernssl-${SYSTEM_OPENSSL}.tar.gz; rm -Rf opernssl-${SYSTEM_OPENSSL}.tar.gz
+    # don't want nginx's configure to rebuild OpenSSL itself.
+    if [ ! -d /opt/mod/aws-lc-${SYSTEM_AWSLC} ]; then
+        cd /opt/mod && wget https://github.com/aws/aws-lc/archive/refs/tags/v${SYSTEM_AWSLC}.tar.gz
+        cd /opt/mod && tar xf v${SYSTEM_AWSLC}.tar.gz; rm -Rf v${SYSTEM_AWSLC}.tar.gz
+    fi
+    if [ ! -f /usr/local/aws-lc/lib/libssl.so ]; then
+        cd /opt/mod/aws-lc-${SYSTEM_AWSLC} && \
+            cmake -GNinja -B build \
+                -DCMAKE_INSTALL_PREFIX=/usr/local/aws-lc \
+                -DBUILD_SHARED_LIBS=1 \
+                -DCMAKE_BUILD_TYPE=Release && \
+            cmake --build build -j`nproc` && \
+            cmake --install build && \
+            ldconfig
     fi
 
     # ZLIB
@@ -43,20 +56,22 @@ function clean_install() {
         fi
     fi
 
-    # SYSTEM_MODSECURITY
+    # SYSTEM_MODSECURITY (v3 — libmodsecurity, what ModSecurity-nginx connector needs)
     if [ ! -d /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} ]; then
         cd /opt/mod && wget https://github.com/SpiderLabs/ModSecurity/releases/download/v${SYSTEM_MODSECURITY}/modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
         cd /opt/mod && tar xf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz; rm -Rf modsecurity-v${SYSTEM_MODSECURITY}.tar.gz
-        if [ ! -d /usr/local/modsecurity ]; then
-            cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./configure && make -j`nproc` && make install
     fi
+    if [ ! -f /usr/local/modsecurity/lib/libmodsecurity.so ]; then
+        cd /opt/mod/modsecurity-v${SYSTEM_MODSECURITY} && ./build.sh && ./configure --without-pcre --with-pcre2 && make -j`nproc` && make install
     fi
 
     # SYSTEM_PCRE
-    if [ ! -d /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} ]; then
+    # Use the official release tarball (bundles the sljit submodule needed for
-        cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/archive/refs/tags/pcre2-${SYSTEM_PCRE}.tar.gz
+    # JIT). The /archive/refs/tags/ tarball from GitHub is a raw source snapshot
+    # that omits submodules and breaks `--with-pcre-jit`.
+    if [ ! -d /opt/mod/pcre2-${SYSTEM_PCRE} ]; then
+        cd /opt/mod && wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${SYSTEM_PCRE}/pcre2-${SYSTEM_PCRE}.tar.gz
         cd /opt/mod && tar xf pcre2-${SYSTEM_PCRE}.tar.gz; rm -Rf pcre2-${SYSTEM_PCRE}.tar.gz
-        cd /opt/mod/pcre2-pcre2-${SYSTEM_PCRE} && ./autogen.sh
     fi
 
     # LibInjection
@@ -75,18 +90,36 @@ function clean_install() {
         cd /opt/mod/; wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v${NGX_MOD_LUA}.tar.gz
         cd /opt/mod/; tar xf v${NGX_MOD_LUA}.tar.gz; rm -Rf v${NGX_MOD_LUA}.tar.gz
         sed -i 's/cookies/cookie/g' /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/ngx_http_lua_headers_in.c
+        # AWS-LC compatibility: lua-nginx-module already has guards around APIs
+        # missing from BoringSSL (SSL_get1_supported_ciphers, SSL_export_keying_
+        # material_early, etc.). AWS-LC has the same API limitations but defines
+        # OPENSSL_IS_AWSLC instead of OPENSSL_IS_BORINGSSL, so the guards never
+        # fire. Broaden every form (#if, #ifdef, #ifndef, #elif) to recognise
+        # both macros. Order matters: the bare `defined()` substitution runs
+        # first so the later #ifdef/#ifndef substitutions don't double-rewrite.
+        sed -i \
+            -e 's@defined(OPENSSL_IS_BORINGSSL)@(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
+            -e 's@#ifdef OPENSSL_IS_BORINGSSL@#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
+            -e 's@#ifndef OPENSSL_IS_BORINGSSL@#if !(defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC))@g' \
+            /opt/mod/lua-nginx-module-${NGX_MOD_LUA}/src/*.c
     fi
 
-    # NGX_LUA_CORE
+    # NGX_LUA_CORE — must stay in lockstep with NGX_MOD_LUA. lua-resty-core
-    if [ ! -d /opt/mod/lua-resty-core ]; then
+    # does a strict-equality check on ngx.config.ngx_lua_version at startup,
-        cd /opt/mod/; git clone https://github.com/openresty/lua-resty-core.git
+    # so an upstream bump on master silently breaks the build. Pinning via
-        cd /opt/mod/lua-resty-core; make install PREFIX=${LUA_SCRIPTS}
+    # the tagged tarball (dir name embeds the version) means changing
+    # LUA_SCRIPTS_RESTYCORE in `version` invalidates the cache automatically.
+    if [ ! -d /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} ]; then
+        cd /opt/mod/; wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v${LUA_SCRIPTS_RESTYCORE}.tar.gz
+        cd /opt/mod/; tar xf v${LUA_SCRIPTS_RESTYCORE}.tar.gz; rm -Rf v${LUA_SCRIPTS_RESTYCORE}.tar.gz
+        cd /opt/mod/lua-resty-core-${LUA_SCRIPTS_RESTYCORE} && make install PREFIX=${LUA_SCRIPTS}
     fi
 
-    # NGX_LUA_LRUCACHE
+    # NGX_LUA_LRUCACHE — same pattern, pinned to LUA_SCRIPTS_LRUCACHE.
-    if [ ! -d /opt/mod/lua-resty-lrucache ]; then
+    if [ ! -d /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} ]; then
-        cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
+        cd /opt/mod/; wget https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v${LUA_SCRIPTS_LRUCACHE}.tar.gz
-        cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
+        cd /opt/mod/; tar xf v${LUA_SCRIPTS_LRUCACHE}.tar.gz; rm -Rf v${LUA_SCRIPTS_LRUCACHE}.tar.gz
+        cd /opt/mod/lua-resty-lrucache-${LUA_SCRIPTS_LRUCACHE} && make install PREFIX=${LUA_SCRIPTS}
     fi
 
     # NGX_MOD_LUA_MYSQL
@@ -171,6 +204,14 @@ function clean_install() {
         cd /opt/mod/; git clone --recurse-submodules https://github.com/wargio/naxsi.git naxsi
     fi
 
+    # NGX_MOD_ZSTD — Zstandard compression module from tokers. Pinned via
+    # NGX_MOD_ZSTD; tarball pattern (dir name embeds version → cache invalidates
+    # automatically when the pin moves).
+    if [ ! -d /opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD} ]; then
+        cd /opt/mod/; wget https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${NGX_MOD_ZSTD}.tar.gz
+        cd /opt/mod/; tar xf ${NGX_MOD_ZSTD}.tar.gz; rm -Rf ${NGX_MOD_ZSTD}.tar.gz
+    fi
+
     # END OF NGINX MODULES
     # ============================================================================================================
 }
@@ -186,11 +227,9 @@ test_nginx() {
                                           --lock-path=/var/run/nginx.lock                                         \
                                           --error-log-path=/var/log/nginx/error.log                               \
                                           --http-log-path=/var/log/nginx/access.log                               \
-                                          --with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL}              \
-                                          --with-openssl-opt=enable-tls1_3                                        \
                                           --with-pcre                                                             \
                                           --with-pcre-jit                                                         \
-                                          --with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}                         \
+                                          --with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE}                         \
                                           --with-zlib=/opt/mod/zlib                                               \
                                           --with-threads                                                          \
                                           --with-file-aio                                                         \
@@ -230,9 +269,10 @@ test_nginx() {
                                           --add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE}       \
                                           --add-module=/opt/mod/redis2-nginx-module                               \
                                           --add-module=/opt/mod/ngx_brotli                                        \
+                                          --add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD}                  \
                                           --add-module=/opt/mod/testcookie                                        \
-                                          --with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
+                                          --with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
-                                          --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
+                                          --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
                                           make clean
 }
 function build() {
@@ -246,11 +286,9 @@ function build() {
                                           --lock-path=/var/run/nginx.lock                                         \
                                           --error-log-path=/var/log/nginx/error.log                               \
                                           --http-log-path=/var/log/nginx/access.log                               \
-                                          --with-openssl=/opt/mod/openssl-opernssl-${SYSTEM_OPENSSL}              \
-                                          --with-openssl-opt=enable-tls1_3                                        \
                                           --with-pcre                                                             \
                                           --with-pcre-jit                                                         \
-                                          --with-pcre=/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}                         \
+                                          --with-pcre=/opt/mod/pcre2-${SYSTEM_PCRE}                         \
                                           --with-zlib=/opt/mod/zlib                                               \
                                           --with-threads                                                          \
                                           --with-file-aio                                                         \
@@ -290,10 +328,16 @@ function build() {
                                           --add-module=/opt/mod/srcache-nginx-module-${NGX_MOD_LUA_SRCACHE}       \
                                           --add-module=/opt/mod/redis2-nginx-module                               \
                                           --add-module=/opt/mod/ngx_brotli                                        \
+                                          --add-module=/opt/mod/zstd-nginx-module-${NGX_MOD_ZSTD}                  \
                                           --add-module=/opt/mod/testcookie                                        \
-                                          --with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC" \
+                                          --with-cc-opt="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/local/aws-lc/include" \
-                                          --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/lib/x86_64-linux-gnu -lpcre"
+                                          --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib -Wl,-rpath,/usr/local/lib -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/opt/mod/pcre2-${SYSTEM_PCRE}/.libs -lpcre2-8 -L/usr/local/aws-lc/lib -lssl -lcrypto -Wl,-rpath,/usr/local/aws-lc/lib"
-                                          make -j`nproc` && make install && make clean
+    # NOTE: kept as separate statements (not `make && make install && make clean`)
+    # so `set -e` actually fires on a make failure. The && chain hides left-side
+    # failures from set -e, which previously let half-built nginx ship.
+    cd /opt/nginx-${NGINX} && make -j`nproc`
+    cd /opt/nginx-${NGINX} && make install
+    cd /opt/nginx-${NGINX} && make clean
     unset NGINX
 }
 function post_build() {
@@ -311,8 +355,16 @@ function post_build() {
     curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/nginx/live/default > /nginx/live/default
     mkdir -p /hostdata/default/public_html/ && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/index.html > /hostdata/default/public_html/index.html
     mkdir -p /hostdata/default/public_html/cdn/modsec && curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/modsec/aes.min.js > /hostdata/default/public_html/cdn/modsec/aes.min.js
+    if [ -f "/run/.containerenv" ] || [ -f "/.dockerenv" ] || [ -f "/home/runner/.dockerenv" ]; then
+        echo "Skipping systemctl commands on GitHub runner"
+        mkdir -p /etc/systemd/system/
         curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /etc/systemd/system/nginx.service
-    systemctl daemon-reload; systemctl start nginx.service && systemctl enable nginx.service
+    else
+        curl -s https://raw.githubusercontent.com/theraw/The-World-Is-Yours/master/static/Jammy/nginx.service > /etc/systemd/system/nginx.service
+        systemctl daemon-reload
+        systemctl start nginx.service
+        systemctl enable nginx.service
+    fi
 }
 
 # Handling command-line arguments

static/Jammy/nginx.service

@@ -5,7 +5,12 @@ Wants=network-online.target
 
 [Service]
 Type=forking
-PIDFile=/var/run/nginx.pid
+PIDFile=/run/nginx.pid
+# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
+# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
+# guaranteed present. Removing this line falls back to glibc malloc cleanly.
+Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
+ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
 ExecStartPre=/usr/sbin/nginx -t
 ExecStart=/usr/sbin/nginx
 ExecReload=/usr/sbin/nginx -s reload

static/nginx/nginx.conf

@@ -1,8 +1,14 @@
 # Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
 # Problems?    => https://github.com/theraw/The-World-Is-Yours/issues
+#
+# Tuned for shared hosting at 5,000+ vhost scale.
+# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
+# file only contains the global event/http settings.
+
 user nginx;
 pid /var/run/nginx.pid;
 worker_processes auto;
+worker_cpu_affinity auto;
 worker_rlimit_nofile 65535;
 
 events {
@@ -26,21 +32,46 @@ http {
     # =================== END LOGS ========================= #
 
     # ==================== GENERAL ========================= #
-    client_body_buffer_size        2M;
+    client_header_buffer_size      4k;
-    client_header_buffer_size      2M;
+    large_client_header_buffers    4 16k;
-    client_body_timeout            90s;
+    client_body_buffer_size        16k;
-    client_header_timeout          90s;
     client_max_body_size           2M;
-    keepalive_timeout              15s;
+    client_body_timeout            30s;
+    client_header_timeout          30s;
+    send_timeout                   30s;
+    reset_timedout_connection      on;
+    keepalive_timeout              65s;
+    keepalive_requests             2000;
+    max_headers                    100;
     port_in_redirect               off;
     sendfile                       on;
-    server_names_hash_bucket_size  6969;
+    sendfile_max_chunk             1m;
-    server_name_in_redirect        off;
-    server_tokens                  off;
     tcp_nodelay                    on;
     tcp_nopush                     on;
-    types_hash_max_size            2048;
+    server_tokens                  off;
-    resolver                       1.1.1.1 1.0.0.1;
+    server_name_in_redirect        off;
+
+    server_names_hash_bucket_size  128;
+    server_names_hash_max_size     32768;
+    types_hash_max_size            4096;
+
+    # File metadata cache — biggest single win for static-heavy shared hosting.
+    open_file_cache                max=200000 inactive=30s;
+    open_file_cache_valid          30s;
+    open_file_cache_min_uses       2;
+    open_file_cache_errors         on;
+
+    # ===================== TLS ============================ #
+    ssl_protocols                  TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers      off;
+    ssl_session_cache              shared:SSL:200m;
+    ssl_session_timeout            1d;
+    ssl_session_tickets            off;
+    ssl_stapling                   on;
+    ssl_stapling_verify            on;
+    # ===================== END TLS ======================== #
+    resolver                       1.1.1.1 1.0.0.1 valid=300s;
+    resolver_timeout               5s;
     default_type                   application/octet-stream;
     include                        /nginx/mime.types;
 
@@ -48,6 +79,25 @@ http {
     default upgrade;
     '' close;
     }
+
+    # ==================== COMPRESSION ===================== #
+    gzip                           on;
+    gzip_vary                      on;
+    gzip_proxied                   any;
+    gzip_comp_level                4;
+    gzip_min_length                256;
+    gzip_types                     text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
+
+    brotli                         on;
+    brotli_comp_level              4;
+    brotli_min_length              256;
+    brotli_types                   text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
+
+    zstd                           on;
+    zstd_comp_level                4;
+    zstd_min_length                256;
+    zstd_types                     text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
+    # =================== END COMPRESSION ================== #
     # =================== END GENERAL ====================== #
 
     # ================ LOAD VHOST +CONFIGS ================= #

version

@@ -1,51 +1,60 @@
-export NGINX="1.26.0"
+export NGINX="1.30.0"
 
+# Lua Path
 export LUA_SCRIPTS="/usr/nginx_lua"
 
 # https://github.com/openresty/lua-nginx-module/tags
-export NGX_MOD_LUA="0.10.27"
+export NGX_MOD_LUA="0.10.29"
 
 # https://github.com/vision5/ngx_devel_kit/tags
-export NGX_MOD_DEVELKIT="0.3.3"
+export NGX_MOD_DEVELKIT="0.3.4"
 
 # https://github.com/leev/ngx_http_geoip2_module/releases
 export NGX_MOD_GEOIP2="3.4"
 
 # https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
-export NGX_MOD_MODSECURITY="1.0.3"
+export NGX_MOD_MODSECURITY="1.0.4"
 
 # https://github.com/winshining/nginx-http-flv-module/releases
-export NGX_MOD_HTTPFLV="1.2.11"
+export NGX_MOD_HTTPFLV="1.2.13"
 
 # https://github.com/openresty/headers-more-nginx-module/tags
-export NGX_MOD_HEADERS_MORE="0.37"
+export NGX_MOD_HEADERS_MORE="0.39"
 
 # https://github.com/openresty/set-misc-nginx-module/releases
 export NGX_MOD_SETMISC="0.33"
 
 # https://github.com/openresty/lua-resty-core/tags
-export LUA_SCRIPTS_RESTYCORE="0.1.28"
+export LUA_SCRIPTS_RESTYCORE="0.1.32"
 
 # https://github.com/openresty/lua-resty-lrucache/tags
-export LUA_SCRIPTS_LRUCACHE="0.13"
+export LUA_SCRIPTS_LRUCACHE="0.15"
 
 # https://github.com/openresty/luajit2/tags
-export SYSTEM_LUAJIT="2.1-20231117"
+export SYSTEM_LUAJIT="2.1-20260311"
 
 # https://github.com/PCRE2Project/pcre2/releases
-export SYSTEM_PCRE="10.43"
+export SYSTEM_PCRE="10.47"
 
-# https://github.com/openssl/openssl
+# https://github.com/aws/aws-lc/tags
-export SYSTEM_OPENSSL="3.1.5-quic1"
+# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
+# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
+# because of better TLS handshake throughput and clean release tagging.
+export SYSTEM_AWSLC="1.72.0"
 
-# https://github.com/SpiderLabs/ModSecurity/releases
+# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
 export SYSTEM_MODSECURITY="3.0.12"
 
 # https://github.com/openresty/lua-resty-mysql/tags
-export NGX_MOD_LUA_MYSQL="0.27"
+export NGX_MOD_LUA_MYSQL="0.29"
 
 # https://github.com/openresty/lua-resty-lock/tags
 export NGX_MOD_LUA_LOCK="0.09"
 
 # https://github.com/openresty/srcache-nginx-module/tags
 export NGX_MOD_LUA_SRCACHE="0.33"
+
+# https://github.com/tokers/zstd-nginx-module/tags
+# Zstandard compression module. Chrome 123+ and Firefox 126+ send
+# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
+export NGX_MOD_ZSTD="0.1.1"