Catalog | build with confidence

server { listen 8080 default_server; listen [::]:8080 default_server; # Everything is a 404 location / { return 404; } # You may need this to prevent return 404 recursion. location = /404.html { internal; } }

FROM registry.hardened.eu/library/nginx-fips:latest # Copy your custom nginx configuration COPY my-site.conf /etc/nginx/http.d/ # Copy your website files COPY website/ /usr/share/nginx/html/ # Ensure proper permissions for the hardenedeu user RUN chown -R 10000:10000 /usr/share/nginx/html /etc/nginx/http.d/

# Check OpenSSL FIPS status docker run --rm registry.hardened.eu/library/nginx-fips:latest openssl version -a # Verify FIPS provider is loaded docker run --rm registry.hardened.eu/library/nginx-fips:latest openssl list -providers

docker run -p 8080:8080 \ -v /path/to/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /path/to/sites:/etc/nginx/http.d:ro \ -v /path/to/html:/usr/share/nginx/html:ro \ registry.hardened.eu/library/nginx-fips:latest

server { listen 8443 ssl; server_name example.com; http2 on; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; # FIPS-compliant SSL configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; root /usr/share/nginx/html; index index.html; }

# https://ssl-config.mozilla.org, nginx intermediate http { server { listen 8443 ssl; listen [::]:8443 ssl; http2 on; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; } # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; # see also ssl_session_ticket_key alternative to stateful session cache ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dhparam "/path/to/dhparam"; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; # replace with the IP address of your resolver; # async 'resolver' is important for proper operation of OCSP stapling resolver 127.0.0.1; }

cat >hardened.pub <<EOL -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbxhUFlXkIIbDzdRAR9rc6kDPNb+k J48lhqqlOMyiq3jkbKXNj2sEFMduFlNh63MrZA59PKf4TjS1AiCrvaFXNA== -----END PUBLIC KEY----- EOL

Hash	Tag	Size (compressed)	Last updated	Actions
sha256:f4003075fae65...	latest x86_64	4.89 MB	14:03:41 19/08/2025 UTC (Calculating...)
••••••••••••	••••••••••••	••••••••••••	••••••••••••	Contact Hardened

Package	Version	License
alpine-os-release	3.22-r2	MIT
busybox	10.0.0-r0	GPL-2.0-only
dash	0.5.12-r3	(BSD-3-Clause AND GPL-2.0-or-later)
dash-binsh	0.5.12-r3	(BSD-3-Clause AND GPL-2.0-or-later)
libcrypto3	3.5.2-r0	Apache-2.0
libssl3	3.5.2-r0	Apache-2.0
musl	1.2.5-r10	MIT
nginx	1.28.0-r3	BSD-2-Clause
nginx-hardened-config	1.0.0-r0	Apache-2.0
openssl	3.5.2-r0	Apache-2.0
openssl-fips-provider	3.1.2-r0	Apache-2.0
pcre2	10.43-r1	BSD-3-Clause
zlib	1.3.1-r2	Zlib

APACHE-2.0 (permissive)

The Apache License 2.0 is also a permissive license, similar to the MIT License, but with additional protections related... Show more

View License

BSD-2-CLAUSE (permissive)

The BSD 2-Clause License is a permissive license originating from the Berkeley Software Distribution (BSD). It allows fo... Show more

View License

BSD-3-CLAUSE (permissive)

The BSD 3-Clause License is another permissive license originating from the Berkeley Software Distribution (BSD). It all... Show more

View License

GPL-2.0 (strong-copyleft)

The GNU General Public License version 2 (GPL-2.0) is a strict copyleft license. If you modify and distribute software l... Show more

View License

MIT (permissive)

The MIT License is a highly permissive open-source license. It allows users to do almost anything with a project, includ... Show more

View License

ZLIB (permissive)

The zlib License is a permissive license that allows users to use, modify, and distribute the software freely. It's simi... Show more

View License

	CVE	Severity	Package	Version	Fixed In
	CVE-2025-53859	Medium	nginx	1.28.0-r3	Not fixed
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE: CVE-2025-53859 Package: nginx Version: 1.28.0-r3 Severity: MEDIUM Fixed In: Not fixed

nginx-fips

APACHE-2.0 (permissive)

BSD-2-CLAUSE (permissive)

BSD-3-CLAUSE (permissive)

GPL-2.0 (strong-copyleft)

MIT (permissive)

ZLIB (permissive)

Compare Images