Implement brotli compression by default, improve compression mechanics

openizr · Sep 4, 2022 · 9c91903 · 9c91903
1 parent c01085e
commit 9c91903
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 2 deletions.
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,4 +1,57 @@
-FROM nginx:1.21.1-alpine
+FROM nginx:1.23.1-alpine as brotli
+RUN apk add --no-cache make git gcc g++ pcre-dev zlib-dev openssl-dev brotli brotli-libs
+RUN git clone https://github.com/google/ngx_brotli.git
+WORKDIR /ngx_brotli
+RUN git submodule update --init
+WORKDIR /
+RUN wget https://nginx.org/download/nginx-1.23.1.tar.gz && tar zxvf nginx-1.23.1.tar.gz
+WORKDIR /nginx-1.23.1
+RUN ./configure \
+  --prefix=/etc/nginx \
+  --sbin-path=/usr/sbin/nginx \
+  --modules-path=/usr/lib/nginx/modules \
+  --conf-path=/etc/nginx/nginx.conf \
+  --error-log-path=/var/log/nginx/error.log \
+  --http-log-path=/var/log/nginx/access.log \
+  --pid-path=/var/run/nginx.pid \
+  --lock-path=/var/run/nginx.lock \
+  --http-client-body-temp-path=/var/cache/nginx/client_temp \
+  --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+  --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+  --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+  --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+  --with-perl_modules_path=/usr/lib/perl5/vendor_perl \
+  --user=nginx \
+  --group=nginx--with-file-aio \
+  --with-threads \
+  --with-http_addition_module \
+  --with-http_auth_request_module \
+  --with-http_dav_module \
+  --with-http_flv_module \
+  --with-http_gunzip_module \
+  --with-http_gzip_static_module \
+  --with-http_mp4_module \
+  --with-http_random_index_module \
+  --with-http_realip_module \
+  --with-http_secure_link_module \
+  --with-http_slice_module \
+  --with-http_ssl_module \
+  --with-http_stub_status_module \
+  --with-http_sub_module \
+  --with-http_v2_module \
+  --with-mail \
+  --with-mail_ssl_module \
+  --with-stream \
+  --with-stream_realip_module \
+  --with-stream_ssl_module \
+  --with-stream_ssl_preread_module \
+  --with-cc-opt='-Os -fomit-frame-pointer -g' \
+  --with-ld-opt=-Wl,--as-needed,-O1,--sort-common \
+  --with-compat \
+  --add-dynamic-module=../ngx_brotli
+RUN make && make install
+
+FROM nginx:1.23.1-alpine
 
 ENV CSP="default-src 'self' https: data:; base-uri 'self'; frame-ancestors 'self'; object-src 'none';"
 ENV BOT_USER_AGENTS=___
@@ -14,6 +67,9 @@ COPY ./extra.conf /etc/nginx/conf.d/extra.conf
 COPY ./docker-entrypoint.sh /docker-entrypoint.sh
 COPY ./80.conf.template /etc/nginx/templates/80.conf.template
 COPY ./80.static.conf.template /etc/nginx/templates/80.static.conf.template
+COPY --from=brotli /usr/bin/brotli /usr/bin/brotli
+COPY --from=brotli /usr/lib/nginx/modules/ngx_http_brotli_static_module.so /usr/lib/nginx/modules/ngx_http_brotli_static_module.so
+COPY --from=brotli /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so
 
 # Run nginx as non-root user.
 RUN chown -R nginx:nginx /etc/nginx && chown -R nginx:nginx /var/cache/nginx

diff --git a/nginx/docker-entrypoint.sh b/nginx/docker-entrypoint.sh
@@ -19,6 +19,17 @@ else
   fi
 fi
 
+# Pre-compressing static assets (see https://expeditedsecurity.com/blog/nginx-brotli/)...
+old_ifs=$ifs
+ifs=$'\n'
+for file in $(find /var/www/html/public -type f -iname '*.css' -o -iname '*.js' -o -iname '*.svg' -o -iname '*.json' -o -iname '*.txt' -o -iname '*.html' -o -iname '*.xml' -o -iname '*.ttf' -o -iname '*.otf'); do
+    echo -n "Compressing ${file}..."
+    gzip --force -9 -k ${file};
+    brotli ${file} --force -o ${file}.br;
+    echo "done."
+done
+ifs=$old_ifs
+
 if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
     if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
         echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -1,3 +1,6 @@
+load_module modules/ngx_http_brotli_filter_module.so;
+load_module modules/ngx_http_brotli_static_module.so;
+
 worker_processes auto;
 pid /tmp/nginx.pid;
 
@@ -22,10 +25,18 @@ http {
 
   # Gzip settings.
   gzip on;
-  gzip_min_length 1024;
+  gzip_static on;
   gzip_comp_level 3;
+  gzip_min_length 1024;
   gzip_types text/text text/plain text/xml text/css text/javascript text/json application/x-javascript application/javascript application/json image/x-icon image/ico image/icon image/vnd.microsoft.icon application/x-font-woff application/font-woff application/octet-stream application/vnd.ms-fontobject font/opentype image/svg+xml;
 
+  # Brotli settings.
+  brotli on;
+  brotli_static on;
+  brotli_comp_level 4;
+  brotli_min_length 1024;
+  brotli_types text/text text/plain text/xml text/css text/javascript text/json application/x-javascript application/javascript application/json image/x-icon image/ico image/icon image/vnd.microsoft.icon application/x-font-woff application/font-woff application/octet-stream application/vnd.ms-fontobject font/opentype image/svg+xml;
+
   include /etc/nginx/conf.d/80.conf;
   include /etc/nginx/conf.d/extra.conf;
 }