// NGINX Modules Optimized & Extended for Debian/Ubuntu

NGINX modules optimized & extended

Current version: 1.31.1  ·  Last built: 2026-05-27  ·  Modules shipped: 101 dynamic + 10 standalone libraries  ·  Sub-packages: 9 core + 101 modules (110 binary packages)  ·  Patches: 8 core + 12 module patches  ·  Distros: Debian bullseye / bookworm / trixie, Ubuntu jammy / noble / resolute

This page is the canonical index for the deb.myguard.nl NGINX and Angie packages: a hardened, mainline build with HTTP/3 (QUIC), kTLS, Brotli, Zstandard, ModSecurity v3, Lua/NJS scripting and over a hundred dynamic modules, packaged for Docker, WordPress, Magento and OpenCart workloads. Rebuilds usually run within a few hours of an upstream nginx release; if no patch conflicts trip the pipeline, the new .deb and Docker image are published automatically.

Builds track Debian upstream closely and are backported to older releases. Most of the optional modules are included because you asked for them — if a module you need is missing, open an issue and it usually ends up in the next build.

Software is provided as-is, no commercial support, but build bugs get fixed and questions answered when time allows.

On this page

How to install

Debian deprecated the meta-packages nginx-light, nginx-core, nginx-extras and nginx-full. The supported installation pattern is now: install nginx, then add each dynamic module you need.

apt-get install nginx
apt-get install libnginx-mod-http-fancyindex libnginx-mod-http-brotli libnginx-mod-http-zstd

Repository setup, signing keys, and per-distribution suite names are covered on How to use. Containerised builds live in Angie and NGINX Docker Images — a good general-purpose tag is eilandert/nginx-modsecurity3-pagespeed:deb-php8.3.

If you want the smallest possible footprint, install nginx-minimal instead. It strips every non-essential static module (keeping only proxy, cache and FastCGI) and still loads any of the dynamic modules below — ideal for a slim WordPress reverse-proxy container.

Module groups at a glance

  • Security & WAF: ModSecurity v3, Naxsi, ngx_waf, captcha, JS challenge, testcookie, security-headers, bot-verifier.
  • Auth & access control: LDAP, PAM, SPNEGO/Kerberos, JWT, HMAC, AWS-auth, access-plus, CORS, cookie controls, dynamic rate limiting.
  • Compression, cache & storage: Brotli & unbrotli, Zstandard & unzstd, cache-purge, cache-dechunk, memcached, redis2, srcache, slowfs-cache, sorted-querystring.
  • Scripting & extensibility: Lua (OpenResty), NJS, NDK, echo, set-misc, eval, headers-more, subs-filter, xslt, response & header manipulation.
  • Streaming, media & realtime: RTMP, Nchan, push-stream, HTTP-FLV live, MPEG-TS, VOD (HLS/DASH/MSS), stream, stream-lua, stream-njs.
  • Observability: VTS, STS, statsd, upstream-log, log-var-set, extra-variables, error-log-write.

Build features

  • Latest mainline NGINX, packaged for Debian and Ubuntu.
  • Vendor branding stripped from the server signature.
  • Hardened default nginx.conf and a snippets/ tree with bot/security/hardening/proxy examples.
  • Linked against OpenSSL-NGINX for full TLS 1.3, HTTP/3 (QUIC), kTLS and a web-server-tuned OpenSSL build.
  • Includes the Cloudflare Optimizing TLS over TCP patch for lower handshake latency.
  • SSL defaults tuned for A+ on SSL Labs.
  • kTLS ready — load the tls kernel module and add ssl_conf_command Options KTLS; in the http { } block.
  • Built with AIO and threads (better throughput on ZFS and other high-latency filesystems).
  • Linked against zlib-ng (native mode) for faster gzip.
  • Compiled with -Ofast, frame-pointer omission and aggressive inlining; LTO is deliberately disabled (-fno-lto) to keep dynamic modules ABI-compatible across rebuilds. _FORTIFY_SOURCE=3 is enforced on top of the Debian hardening flags.
  • TCP Fast Open enabled — activate with sysctl -w net.ipv4.tcp_fastopen=3.
  • PageSpeed ships with a separately built PSOL (Page Speed Optimisation Library) per distribution.
  • Daily-rebuilt Docker images on Docker Hub.
  • The OWASP ModSecurity Core Rule Set is repackaged on every nginx version bump.
  • A bundle of useful lua-resty modules, also repackaged per nginx release.
  • NGINX and OpenSSL patched to allow yielding in ssl_session_fetch_by_lua* and ssl_certificate_by_lua*.

Extra NGINX modules built from git (dynamic)

Every entry below links to the upstream source repository it’s built from — usually GitHub, occasionally a project home page. The handful of unlinked entries (image-filter, perl, geoip, xslt-filter, mail, stream, stream-geoip) are internal modules shipped with the upstream nginx / Angie source tree; they have no separate repository because they live in nginx/nginx itself. If you find a module that’s missing a link, file a bug.

Standalone libraries provided

  • libmodsecurity3 – v3 library component used by the nginx connector.
  • modsecurity-crs – OWASP ModSecurity Core Rule Set.
  • libjemalloc2 – jemalloc allocator, built specifically for NGINX (use the one from this repo).
  • libz-ng2 – next-generation zlib data-compression library (native mode).
  • lua-resty – bundle of the most-used Lua modules for libnginx-mod-http-lua.
  • lua-resty-core – FFI-based Lua API for ngx_http_lua_module / ngx_stream_lua_module (OpenResty).
  • lua-resty-lrucache – Lua-land LRU cache based on the LuaJIT FFI (OpenResty).
  • openssl-nginx – dedicated OpenSSL build tuned for nginx (kTLS, QUIC, leaner crypto defaults).
  • PSOL – Page Speed Optimisation Library, per-distro builds for ngx_pagespeed.
  • wordpress-hardening-plugin – opinionated WordPress hardening plugin (login lockdown, REST/XML-RPC throttling, ModSecurity-friendly headers, FireHOL Level 1 integration, CI-tested against Apache+ModSec v2 and nginx+libmodsecurity3).

Custom scripts

  • reorder-modules.sh – prioritises certain nginx modules in the right load order, with Docker support.
  • cloudflare.sh – fetch Cloudflare IP ranges for inclusion in a vhost using CF-Connecting-IP.

Applied patches

The complete patch series applied to every nginx build on this repository, in the exact order the Debian packaging applies them (debian/patches/series):

  1. 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch – keeps the Server: response header and nginx -v output identical across the whole package matrix, so client fingerprints don’t drift between distros or rebuilds.
  2. nginx-fix-pidfile.patch – restores the correct /run/nginx.pid handling for systemd-supervised installs, preventing the post-reload PID-file race that ships in mainline.
  3. 1.30.0-zlib-ng.patch – teaches nginx’s gzip filter about zlib-ng in native mode, so the package links against the faster compressor without breaking ABI for callers expecting classic zlib.
  4. nginx_hpack.patch – carries the well-known Cloudflare HPACK encoding patch, shrinking HTTP/2 response headers (Cookie / Set-Cookie heavy workloads see the biggest win).
  5. nginx_dynamic_tls_records.patch – enables the Cloudflare dynamic TLS record sizing logic so the first byte of TLS payload arrives in a single packet, cutting time-to-first-byte over the wire.
  6. nginx-ssl_cert_cb_yield.patch – lets Lua handlers yield (cosocket calls, sleeps, redis lookups…) from inside ssl_certificate_by_lua* and ssl_session_fetch_by_lua* callbacks; required for any non-trivial dynamic-certificate setup.
  7. http2-ktls-lingering-close-eio.patch – silences the spurious SSL_read() failed (EIO) alert that mainline emits when an HTTP/2 client closes a kTLS connection during lingering-close; cosmetic only, but it filled error logs.
  8. myguard-branding.patch – final branding sweep: replaces vendor strings and tweaks the default error pages so packaged installs identify as nginx only, not nginx (Debian) or nginx (Ubuntu).

Bundled support libraries

Upstream libraries vendored into the build and linked into specific modules. Not loadable as nginx modules themselves; listed for transparency.

  • libinjection – SQL injection and XSS detection library. Bundled because the http-waf module links against it for its pattern-matching engine.
  • quickjs-ng – Maintained fork of the QuickJS JavaScript engine. Compiled and staged at build time so the njs dynamic module can be linked against the QuickJS engine instead of njs’s older bundled interpreter.

Frequently asked questions

Which Debian and Ubuntu releases are supported?
Bullseye, bookworm and trixie on the Debian side; jammy, noble and resolute on the Ubuntu side. Each release gets its own build of nginx, Angie, the dynamic modules, PSOL and the standalone libraries, with daily-rebuilt Docker images on Docker Hub.
What is the difference between nginx and Angie on this repo?
Angie is an actively maintained, drop-in-compatible nginx fork that started after the F5 acquisition. The deb.myguard.nl Angie packages share the same module ecosystem, the same dynamic module names, and the same patches (PSOL, zlib-ng, dynamic TLS records, kTLS lingering-close fix) where they apply, so you can flip between the two with a single apt install.
How do I enable HTTP/3 (QUIC)?
HTTP/3 is compiled in via the OpenSSL-NGINX build, so it is just configuration: add listen 443 quic reuseport; alongside the normal listen 443 ssl; and advertise it with add_header Alt-Svc 'h3=":443"; ma=86400';. See the HTTP/3 on NGINX guide linked under See also for a complete vhost.
How do I turn on kTLS?
Load the kernel TLS module with modprobe tls (and persist it via /etc/modules-load.d/), then add ssl_conf_command Options KTLS; inside your http { } block. nginx will offload the symmetric crypto to the kernel and you will see fewer userspace copies in perf top.
Can I install just the modules I need without nginx-extras?
Yes — that is the whole point of the per-module packaging. apt install nginx gives you the base; then add only libnginx-mod-http-brotli, libnginx-mod-http-modsecurity, or whatever else you want. The nginx-minimal package goes further by stripping non-essential static modules from the base build for the leanest possible footprint.
How often are the packages rebuilt?
Within a few hours of every upstream nginx release. If no patches conflict, the new .deb and Docker image are uploaded automatically. The OWASP Core Rule Set, lua-resty bundle and PSOL get a fresh build on every nginx version bump as well.
Is there commercial support?
Not today — but there is a first time for everything. The packages are provided as-is; build bugs get fixed and questions are answered when time allows. If you have a serious production need (custom modules, SLA, retainer, on-call), reach out via the contact form and we can talk. For everyone else: mirror the repo into your own apt cache and pin a known-good version.
Where do I report a bug or request a module?
Open an issue on the relevant GitHub repo under the eilandert account, or leave a comment on this site. Most of the optional modules in the list above exist specifically because a reader asked for them.

Related deep-dives

Most of the modules and patches above have a dedicated explainer post on this site — install walk-throughs, internals, benchmarks and history. Read them for context before tuning a production stack.

Compression

TLS, HTTP/3 and OpenSSL

Security, WAF and hardening

Scripting (Lua and NJS)

Performance, benchmarks and operations

History, deprecations and releases

Mail, PHP and other packaged software

History and background

See also

  • OpenSSL-NGINX – the dedicated OpenSSL build these packages are linked against for kTLS, QUIC, and leaner crypto defaults.
  • HTTP/3 on NGINX – QUIC setup on current Debian and Ubuntu releases.
  • Post-Quantum TLS for NGINX and Angie – hybrid ML-KEM TLS using these OpenSSL-enabled builds today.
  • Angie and NGINX Docker Images – the daily-rebuilt containers and image tags.
  • lua-resty modules – the bundled OpenResty helper libraries packaged alongside nginx.
  • How to use – repository setup, signing keys and per-distribution suite names.
  • eilandert/zstd-nginx-module – our maintained fork of the zstd-nginx-module (the source for libnginx-mod-http-zstd on this repo); fuzz tests, AGENTS notes and a security policy live there.
  • eilandert/wordpress-hardening-plugin – the WordPress hardening plugin packaged alongside these builds; integration-tested against both Apache + ModSecurity v2 and nginx + libmodsecurity3.
  • Articles – release notes, build write-ups and configuration walkthroughs.

See also: Self-Hosting Aptly: Run Your Own Debian APT Repository Behind NGINX.