containers/bitnami/nginx

Bitnami Secure Image for NGINX Open Source

NGINX Open Source is a web server that can be also used as a reverse proxy, load balancer, and HTTP cache. Recommended for high-demanding sites due to its ability to provide faster content.

Overview of NGINX Open Source Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

TL;DR

docker run --name nginx bitnami/nginx:latest

Why use Bitnami Secure Images?

Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise OS Photon Linux. Why choose BSI images?

• Hardened secure images of popular open source software with Near-Zero Vulnerabilities
• Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores
• Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM)
• Software supply chain provenance attestation through in-toto
• First class support for the internet’s favorite Helm charts

Each image comes with valuable security metadata. You can view the metadata in our public catalog here. Note: Some data is only available with commercial subscriptions to BSI.

If you are looking for our previous generation of images based on Debian Linux, please see the Bitnami Legacy registry.

How to deploy NGINX Open Source in Kubernetes?

Deploying Bitnami applications as Helm Charts is the easiest way to get started with our applications on Kubernetes. Read more about the installation in the Bitnami NGINX Open Source Chart GitHub repository.

Why use a non-root container?

Non-root container images add an extra layer of security and are generally recommended for production environments. However, because they run as a non-root user, privileged tasks are typically off-limits. Learn more about non-root containers in our docs.

Supported tags and respective Dockerfile links

Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags in our documentation page.

Get this image

The recommended way to get the Bitnami NGINX Open Source Docker Image is to pull the prebuilt image from the Docker Hub Registry.

docker pull bitnami/nginx:latest

To use a specific version, you can pull a versioned tag. You can view the list of available versions in the Docker Hub Registry.

docker pull bitnami/nginx:[TAG]

If you wish, you can also build the image yourself by cloning the repository, changing to the directory containing the Dockerfile and executing the docker build command. Remember to replace the APP, VERSION and OPERATING-SYSTEM path placeholders in the example command below with the correct values.

git clone https://github.com/bitnami/containers.git
cd bitnami/APP/VERSION/OPERATING-SYSTEM
docker build -t bitnami/APP:latest .

Using docker-compose.yaml

Please be aware this file has not undergone internal testing. Consequently, we advise its use exclusively for development or testing purposes. For production-ready deployments, we highly recommend utilizing its associated Bitnami Helm chart.

Hosting a static website

This NGINX Open Source image exposes a volume at /app. Content mounted here is served by the default catch-all server block.

docker run -v /path/to/app:/app bitnami/nginx:latest

or by modifying the docker-compose.yml file present in this repository:

services:
  nginx:
  ...
    volumes:
      - /path/to/app:/app
  ...

Accessing your server from the host

To access your web server from your host machine you will need to access ports 8080 and 8443 exposed in the container.

Configuration

The following section describes how to configure the application

Adding custom server blocks

The default nginx.conf includes server blocks placed in /opt/bitnami/nginx/conf/server_blocks/. You can mount a my_server_block.conf file containing your custom server block at this location.

For example, in order add a server block for www.example.com:

Step 1: Write your my_server_block.conf file with the following content

server {
  listen 0.0.0.0:8080;
  server_name www.example.com;
  root /app;
  index index.htm index.html;
}

Step 2: Mount the server block as a volume

docker run --name nginx \
  -v /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro \
  bitnami/nginx:latest

or by modifying the docker-compose.yml file present in this repository:

services:
  nginx:
  ...
    volumes:
      - /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro
  ...

Adding custom configuration by context

The default nginx.conf supports custom configuration files organized by NGINX context. You can mount configuration files into the appropriate context directories:

• /opt/bitnami/nginx/conf/context.d/main/ - For main context directives (e.g., module loading, worker processes)
• /opt/bitnami/nginx/conf/context.d/events/ - For events context directives (e.g., worker_connections)
• /opt/bitnami/nginx/conf/context.d/http/ - For http context directives (equivalent to server_blocks)

For example, to enable the WebDAV module, create a webdav.conf file with the following content:

load_module /opt/bitnami/nginx/modules/ngx_http_dav_module.so;

Mount it to the main context directory:

docker run --name nginx \
  -v /path/to/webdav.conf:/opt/bitnami/nginx/conf/context.d/main/webdav.conf:ro \
  bitnami/nginx:latest

or by modifying the docker-compose.yml file:

services:
  nginx:
  ...
    volumes:
      - /path/to/webdav.conf:/opt/bitnami/nginx/conf/context.d/main/webdav.conf:ro
  ...

Similarly, you can add custom server blocks to the http context:

docker run --name nginx \
  -v /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/context.d/http/my_server_block.conf:ro \
  bitnami/nginx:latest

Adding custom stream server blocks

Similar to server blocks, you can include server blocks for the NGINX Stream Core Module mounting them at /opt/bitnami/nginx/conf/stream_server_blocks/. In order to do so, it's also necessary to set the NGINX_ENABLE_STREAM environment variable to yes.

Step 1: Write your my_stream_server_block.conf file with the following content

upstream backend {
    hash $remote_addr consistent;

    server backend1.example.com:12345 weight=5;
    server 127.0.0.1:12345            max_fails=3 fail_timeout=30s;
    server unix:/tmp/backend3;
}

server {
    listen 12345;
    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    proxy_pass backend;
}

Step 2: Mount the stream server block as a volume

docker run --name nginx \
  -e NGINX_ENABLE_STREAM=yes \
  -v /path/to/my_stream_server_block.conf:/opt/bitnami/nginx/conf/stream_server_blocks/my_stream_server_block.conf:ro \
  bitnami/nginx:latest

or by modifying the docker-compose.yml file present in this repository:

services:
  nginx:
  ...
    environment:
      - NGINX_ENABLE_STREAM=yes
  ...
    volumes:
      - /path/to/my_stream_server_block.conf:/opt/bitnami/nginx/conf/stream_server_blocks/my_stream_server_block.conf:ro
  ...

Using custom SSL certificates

NOTE: The steps below assume that you are using a custom domain name and that you have already configured the custom domain name to point to your server.

Step 1: Prepare your certificate files

In your local computer, create a folder called certs and put your certificates files. Make sure you rename both files to tls.crt and tls.key respectively:

mkdir -p /path/to/nginx-persistence/certs
cp /path/to/certfile.crt /path/to/nginx-persistence/certs/tls.crt
cp /path/to/keyfile.key  /path/to/nginx-persistence/certs/tls.key

Step 2: Provide a custom Server Block for SSL connections

Write your my_server_block.conf file with the SSL configuration and the relative path to the certificates:

  server {
    listen       8443 ssl;

    ssl_certificate      bitnami/certs/tls.crt;
    ssl_certificate_key  bitnami/certs/tls.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
      root   html;
      index  index.html index.htm;
    }
  }

Step 3: Run the NGINX Open Source image and open the SSL port

Run the NGINX Open Source image, mounting the certificates directory from your host.

docker run --name nginx \
  -v /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro \
  -v /path/to/nginx-persistence/certs:/certs \
  bitnami/nginx:latest

or by modifying the docker-compose.yml file present in this repository:

services:
  nginx:
  ...
    volumes:
    - /path/to/nginx-persistence/certs:/certs
    - /path/to/my_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro
  ...

Solving redirection issues

By default redirections issued by NGINX Open Source image will be relative. If you need to activate absolute redirections you can set NGINX_ENABLE_ABSOLUTE_REDIRECT to yes. You should pay attention to the port where the container is listening, because it won't appear in redirections unless you set also NGINX_ENABLE_PORT_IN_REDIRECT to yes.

In the following lines you can see different examples what explain how redirections work. All of them will assume that we have the following content in the server block my_redirect_server_block.conf:

server {
  listen 0.0.0.0:8080;
  server_name www.example.com;
  root /app;
  index index.htm index.html;
  location /test/ {
    return 301 /index.html;
  }
}

Default configuration

docker run --name nginx --rm -p 9000:8080 \
  -v /path/to/my_redirect_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_redirect.conf:ro \
  bitnami/nginx:latest

As mentioned, default redirections issued by NGINX Open Source image will be relative. The client should build the final URL

$ curl -kI http://localhost:9000/test/
HTTP/1.1 301 Moved Permanently
...
Location: /index.html
...
$ curl -w %{redirect_url}\\n -o /dev/null http://localhost:9000/test/
http://localhost:9000/index.html

Please keep in mind that some old clients could be not compatible with relative redirections.

Absolute redirect enabled

docker run --name nginx --rm -p 9000:8080 \
  -v /path/to/my_redirect_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_redirect.conf:ro \
  -e NGINX_ENABLE_ABSOLUTE_REDIRECT=yes \
  bitnami/nginx:latest

As result, the container will reply with a full URL in the Location header but it doesn't have the port. This is useful if you are exposing the container in standard ports (80 or 443)

$ curl -kI http://localhost:9000/test/
HTTP/1.1 301 Moved Permanently
...
Location: http://localhost/index.html
...

Port in redirect enabled

docker run --name nginx --rm -p 9000:8080 \
  -v /path/to/my_redirect_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_redirect.conf:ro \
  -e NGINX_ENABLE_ABSOLUTE_REDIRECT=yes \
  -e NGINX_ENABLE_PORT_IN_REDIRECT=yes \
  bitnami/nginx:latest

In this case the container will include the port where it is listening to in redirections, not the port where it is exposed (in the example 8080 vs 9000)

$ curl -kI http://localhost:9000/test/
HTTP/1.1 301 Moved Permanently
...
Location: http://localhost:8080/index.html
...

To amend this situation and build reachable URLs, you have to run the container listening in the same port that you are exposing

docker run --name nginx --rm -p 9000:9000 \
  -v /path/to/my_redirect_server_block.conf:/opt/bitnami/nginx/conf/server_blocks/my_redirect.conf:ro \
  -e NGINX_ENABLE_ABSOLUTE_REDIRECT=yes \
  -e NGINX_ENABLE_PORT_IN_REDIRECT=yes \
  -e NGINX_HTTP_PORT_NUMBER=9000
  bitnami/nginx:latest

Full configuration

The image looks for configurations in /opt/bitnami/nginx/conf/nginx.conf. You can overwrite the nginx.conf file using your own custom configuration file.

docker run --name nginx \
  -v /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf:ro \
  bitnami/nginx:latest

or by modifying the docker-compose.yml file present in this repository:

services:
  nginx:
  ...
    volumes:
      - /path/to/your_nginx.conf:/opt/bitnami/nginx/conf/nginx.conf:ro
  ...

FIPS configuration in Bitnami Secure Images

The Bitnami NGINX Open Source Docker image from the Bitnami Secure Images catalog includes extra features and settings to configure the container with FIPS capabilities. You can configure the next environment variables:

• OPENSSL_FIPS: whether OpenSSL runs in FIPS mode or not. yes (default), no.

Reverse proxy to other containers

NGINX can be used to reverse proxy to other containers using Docker's linking system. This is particularly useful if you want to serve dynamic content through an NGINX frontend. To do so, add a server block like the following in the /opt/bitnami/nginx/conf/server_blocks/ folder:

server {
    listen 0.0.0.0:8080;
    server_name yourapp.com;
    access_log /opt/bitnami/nginx/logs/yourapp_access.log;
    error_log /opt/bitnami/nginx/logs/yourapp_error.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://[your_container_alias]:[your_container_port];
        proxy_redirect off;
    }
}

Further Reading:

• NGINX reverse proxy

Logging

The Bitnami NGINX Open Source Docker image sends the container logs to the stdout. To view the logs:

docker logs nginx

or using Docker Compose:

docker-compose logs nginx

You can configure the containers logging driver using the --log-driver option if you wish to consume the container logs differently. In the default configuration docker uses the json-file driver.

Customize this image

The Bitnami NGINX Open Source Docker image is designed to be extended so it can be used as the base image for your custom web applications.

Extend this image

Before extending this image, please note there are certain configuration settings you can modify using the original image:

• Settings that can be adapted using environment variables. For instance, you can change the port used by NGINX for HTTP setting the environment variable NGINX_HTTP_PORT_NUMBER.
• Adding custom server blocks.
• Replacing the 'nginx.conf' file.
• Using custom SSL certificates.
• Solving redirection issues.

If your desired customizations cannot be covered using the methods mentioned above, extend the image. To do so, create your own image using a Dockerfile with the format below:

FROM bitnami/nginx
### Put your customizations below
...

NGINX HTTP DAV module

The module ngx_http_dav_module is intended for file management automation via the WebDAV protocol. In current Bitnami images, this module is built as a dynamic module located under the /opt/bitnami/nginx/modules directory. You will need to load it in your NGINX configuration for you to be able to use its directives.

load_module /opt/bitnami/nginx/modules/ngx_http_dav_module.so;

Adding custom NGINX modules

To add a custom NGINX module, it is necessary to compile NGINX with that module and copy over the appropriate files to the Bitnami image.

Useful Links

• Create An EMP Development Environment With Bitnami Containers

Notable Changes

Starting February 10, 2025

• The module ngx_http_dav_module, WebDAV protocol, has been converted into a dynamic module.

1.29.0-debian-12-r4

• This image updates TLS-related files: certificates and keys are now tls.crt/tls.key (from server.crt/server.key), and the certificate signing request is now tls.csr (from server.csr). This change aligns better with the kubernetes.io/tls secret type, enhancing consistency.

1.24.0-debian-11-r142 and 1.25.2-debian-11-r33

• Added support for Module ngx_http_dav_module, WebDAV protocol.

1.18.0-debian-10-r210 and 1.19.6-debian-10-r1

• Added support for enabling dynamic modules.

1.16.1-centos-7-r173

• 1.16.1-centos-7-r173 is considered the latest image based on CentOS.
• Standard supported distros: Debian & OEL.

1.16.0-r3

• This image has been adapted so it's easier to customize. See the Customize this image section for more information.
• The recommended mount point for adding custom server blocks changes from /opt/bitnami/nginx/conf/vhosts to /opt/bitnami/nginx/conf/server_blocks. Remember to update your Docker Compose files to user the new mount point.

License

Copyright © 2026 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.