root
89 lines
3.4 KiB
Plaintext
89 lines
3.4 KiB
Plaintext
export NGINX="1.31.0"
|
|
|
|
# Lua Path
|
|
export LUA_SCRIPTS="/usr/nginx_lua"
|
|
|
|
# https://github.com/openresty/lua-nginx-module/tags
|
|
export NGX_MOD_LUA="0.10.29"
|
|
|
|
# https://github.com/vision5/ngx_devel_kit/tags
|
|
export NGX_MOD_DEVELKIT="0.3.4"
|
|
|
|
# https://github.com/leev/ngx_http_geoip2_module/releases
|
|
export NGX_MOD_GEOIP2="3.4"
|
|
|
|
# https://github.com/owasp-modsecurity/ModSecurity-nginx/releases
|
|
export NGX_MOD_MODSECURITY="1.0.4"
|
|
|
|
# https://github.com/winshining/nginx-http-flv-module/releases
|
|
export NGX_MOD_HTTPFLV="1.2.13"
|
|
|
|
# https://github.com/openresty/headers-more-nginx-module/tags
|
|
export NGX_MOD_HEADERS_MORE="0.39"
|
|
|
|
# https://github.com/openresty/set-misc-nginx-module/releases
|
|
export NGX_MOD_SETMISC="0.33"
|
|
|
|
# https://github.com/openresty/lua-resty-core/tags
|
|
export LUA_SCRIPTS_RESTYCORE="0.1.32"
|
|
|
|
# https://github.com/openresty/lua-resty-lrucache/tags
|
|
export LUA_SCRIPTS_LRUCACHE="0.15"
|
|
|
|
# https://github.com/openresty/luajit2/tags
|
|
export SYSTEM_LUAJIT="2.1-20260311"
|
|
|
|
# https://github.com/PCRE2Project/pcre2/releases
|
|
export SYSTEM_PCRE="10.47"
|
|
|
|
# https://github.com/aws/aws-lc/tags
|
|
# AWS-LC = Amazon's BoringSSL fork. Supported natively in nginx since 1.29.2.
|
|
# Picked over quictls (EOL OpenSSL 3.1 base) and over OpenSSL 3.5 native QUIC
|
|
# because of better TLS handshake throughput and clean release tagging.
|
|
export SYSTEM_AWSLC="1.72.0"
|
|
|
|
# https://github.com/SpiderLabs/ModSecurity/releases 3.0.12
|
|
export SYSTEM_MODSECURITY="3.0.14"
|
|
|
|
# https://github.com/openresty/lua-resty-mysql/tags
|
|
export NGX_MOD_LUA_MYSQL="0.29"
|
|
|
|
# https://github.com/openresty/lua-resty-lock/tags
|
|
export NGX_MOD_LUA_LOCK="0.09"
|
|
|
|
# https://github.com/openresty/srcache-nginx-module/tags
|
|
export NGX_MOD_LUA_SRCACHE="0.33"
|
|
|
|
# https://github.com/tokers/zstd-nginx-module/tags
|
|
# Zstandard compression module. Chrome 123+ and Firefox 126+ send
|
|
# `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
|
|
export NGX_MOD_ZSTD="0.1.1"
|
|
|
|
# https://github.com/zlib-ng/zlib-ng/releases
|
|
# Drop-in libz replacement with SIMD-accelerated DEFLATE. Built in --zlib-compat
|
|
# mode, installed to /usr/local/zlib-ng/. ~2-3x faster gzip CPU vs stock zlib.
|
|
export SYSTEM_ZLIBNG="2.3.3"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Patches applied on top of upstream nginx source (committed at build/patches/).
|
|
# 1 = apply, 0 = skip. Each patch's filename embeds the nginx version it was
|
|
# authored against — bumping NGINX above means reviewing/refreshing every patch
|
|
# in build/patches/.
|
|
# ---------------------------------------------------------------------------
|
|
# Required for Type=notify in the systemd unit. Mainline nginx has the
|
|
# #if (NGX_HAVE_SYSTEMD) guards but no actual sd_notify call sites; every distro
|
|
# carries their own patch. Without this, `Type=notify` times out at startup.
|
|
export APPLY_PATCH_SYSTEMD_NOTIFY=1
|
|
|
|
# Cloudflare's dynamic TLS records: ssl_dyn_rec_* directives. Varies TLS record
|
|
# size based on connection state. -1 RTT TTFB on first byte, +reduced overhead
|
|
# at steady state. Patch shipped at build/patches/.
|
|
export APPLY_PATCH_DYNAMIC_TLS_RECORDS=1
|
|
|
|
# Cloudflare's HPACK dynamic-table encoder: --with-http_v2_hpack_enc. Smaller
|
|
# HTTP/2 response headers on the wire. Upstream patch is stale (last touched
|
|
# 2017; nginx 1.31 has already absorbed parts of it upstream and the remaining
|
|
# hunks reference internals that have drifted). Patch NOT yet shipped — would
|
|
# need a full rebase. Keep toggle here for the day someone ports it.
|
|
export APPLY_PATCH_HTTP2_HPACK_ENC=0
|