Deploying NGINX and NGINX Plus with Docker

Rick Nelson サムネール
Rick Nelson
Published November 09, 2021

Editor – The NGINX Plus Dockerfiles for Alpine Linux and Debian were updated in November 2021 to reflect the latest software versions. They also (along with the revised instructions) use Docker secrets to pass license information when building an NGINX Plus image.

Docker is an open platform for building, shipping, and running distributed applications as containers (lightweight, standalone, executable packages of software that include everything needed to run an application). Containers can in turn be deployed and orchestrated by container orchestration platforms such as Kubernetes. (In addition to the Docker container technology discussed in this blog, NGINX provides the F5 NGINX Ingress Controller in NGINX Open Source‑based and NGINX Plus‑based versions; for NGINX Plus subscribers, support is included at no extra cost.)

As software applications, NGINX Open Source and F5 NGINX Plus are great use cases for Docker, and we publish an NGINX Open Source image on Docker Hub, the repository of Docker images. This post explains how to:


The Docker open platform includes the Docker Engine – the open source runtime that builds, runs, and orchestrates containers – and Docker Hub, a hosted service where Dockerized applications are distributed, shared, and collaborated on by the entire development community or within the confines of a specific organization.

Docker containers enable developers to focus their efforts on application “content” by separating applications from the constraints of infrastructure. Dockerized applications are instantly portable to any infrastructure – laptop, bare‑metal server, VM, or cloud – making them modular components that can be readily assembled and reassembled into fully featured distributed applications and continuously innovated on in real time.

For more information about Docker, see Why Docker? or the full Docker documentation.

Using the NGINX Open Source Docker Image

You can create an NGINX instance in a Docker container using the NGINX Open Source image from Docker Hub.

Let’s start with a very simple example. To launch an instance of NGINX running in a container and using the default NGINX configuration, run this command:

# docker run --name mynginx1 -p 80:80 -d nginxfcd1fb01b14557c7c9d991238f2558ae2704d129cf9fb97bb4fadf673a58580d

This command creates a container named mynginx1 based on the NGINX image. The command returns the long form of the container ID, which is used in the name of log files; see Managing Logging.

The -p option tells Docker to map the port exposed in the container by the NGINX image – port 80 – to the specified port on the Docker host. The first parameter specifies the port in the Docker host, while the second parameter is mapped to the port exposed in the container.

The -d option specifies that the container runs in detached mode, which means that it continues to run until stopped but does not respond to commands run on the command line. In the next section we explain how to interact with the container.

To verify that the container was created and is running, and to see the port mappings, we run docker ps. (We’ve split the output across multiple lines here to make it easier to read.)

# docker psCONTAINER ID  IMAGE         COMMAND               CREATED         STATUS        ...  
fcd1fb01b145  nginx:latest  "nginx -g 'daemon of  16 seconds ago  Up 15 seconds ... 

    ... PORTS              NAMES
    ...>80/tcp mynginx1

The PORTS field in the output reports that port 80 on the Docker host is mapped to port 80 in the container. Another way to verify that NGINX is running is to make an HTTP request to that port. The code for the default NGINX welcome page appears:

# curl http://localhost<!DOCTYPE html>
<title>Welcome to nginx!</title>
 body {
 width: 35em;
 margin: 0 auto;
 font-family: Tahoma, Verdana, Arial, sans-serif;
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href=""></a>.<br/>
Commercial support is available at
<a href=""></a>.</p>

<p><em>Thank you for using nginx.</em></p>

Working with the NGINX Docker Container

So now we have a working NGINX Docker container, but how do we manage the content and the NGINX configuration? And what about logging?

A Note About SSH

It is common to enable SSH access to NGINX instances, but the NGINX image does not have OpenSSH installed, because Docker containers are generally intended to be for a single purpose (in this case running NGINX). Instead we’ll use other methods supported by Docker.

As an alternative to the following commands, you can run the following command to open an interactive shell to a running NGINX container (instead of starting an SSH session). However, we recommend this only for advanced users.

  • On Alpine Linux systems:

    # docker exec -it NGINX_container_ID sh
  • On Debian systems:

    # docker exec -it NGINX_container_ID bash

Managing Content and Configuration Files

There are several ways you can manage both the content served by NGINX and the NGINX configuration files. Here we cover a few of the options.

Option 1 – Maintain the Content and Configuration on the Docker Host

When the container is created we can tell Docker to mount a local directory on the Docker host to a directory in the container. The NGINX image uses the default NGINX configuration, which uses /usr/share/nginx/html as the container’s root directory and puts configuration files in /etc/nginx. For a Docker host with content in the local directory /var/www and configuration files in /var/nginx/conf, run this command (which appears on multiple lines here only for legibility):

# docker run --name mynginx2 --mount type=bind source=/var/www,target=/usr/share/nginx/html,readonly --mount type=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly -p 80:80 -d nginx

Now any change made to the files in the local directories /var/www and /var/nginx/conf on the Docker host are reflected in the directories /usr/share/nginx/html and /etc/nginx in the container. The readonly option means these directories can be changed only on the Docker host, not from within the container.

Option 2 – Copy Files from the Docker Host

Another option is to have Docker copy the content and configuration files from a local directory on the Docker host during container creation. Once a container is created, the files are maintained by creating a new container when files change or by modifying the files in the container. A simple way to copy the files is to create a Dockerfile with commands that are run during generation of a new Docker image based on the NGINX image from Docker Hub. For the file‑copy (COPY) commands in the Dockerfile, the local directory path is relative to the build context where the Dockerfile is located.

In our example, the content is in the content directory and the configuration files are in the conf directory, both subdirectories of the directory where the Dockerfile is located. The NGINX image includes default NGINX configuration files as /etc/nginx/nginx.conf and /etc/nginx/conf.d/default.conf. Because we instead want to use the configuration files from the host, we include a RUN command that deletes the default files:

FROM nginx
RUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx

We create our own NGINX image by running the following command from the directory where the Dockerfile is located. Note the period (“.”) at the end of the command. It defines the current directory as the build context, which contains the Dockerfile and the directories to be copied.

# docker build -t mynginx_image1 .

Now we run this command to create a container called mynginx3 based on the mynginx_image1 image:

# docker run --name mynginx3 -p 80:80 -d mynginx_image1

If we want to make changes to the files in the container, we use a helper container as described in Option 3.

Option 3 – Maintain Files in the Container

As mentioned in A Note About SSH, we can’t use SSH to access the NGINX container, so if we want to edit the content or configuration files directly we have to create a helper container that has shell access. For the helper container to have access to the files, we must create a new image that has the proper Docker data volumes defined for the image. Assuming we want to copy files as in Option 2 while also defining volumes, we use the following Dockerfile:

FROM nginxRUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
VOLUME /usr/share/nginx/html
VOLUME /etc/nginx

We then create the new NGINX image by running the following command (again note the final period):

# docker build -t mynginx_image2 .

Now we run this command to create an NGINX container (mynginx4) based on the mynginx_image2 image:

# docker run --name mynginx4 -p 80:80 -d mynginx_image2

We then run the following command to start a helper container mynginx4_files that has a shell, enabling us to access the content and configuration directories of the mynginx4 container we just created:

# docker run -i -t --volumes-from mynginx4 --name mynginx4_files debian /bin/bashroot@b1cbbad63dd1:/#

The new mynginx4_files helper container runs in the foreground with a persistent standard input (the -i option) and a tty (the -t option). All volumes defined in mynginx4 are mounted as local directories in the helper container.

The debian argument means that the helper container uses the Debian image from Docker Hub. Because the NGINX image also uses Debian (and all of our examples so far use the NGINX image), it is most efficient to use Debian for the helper container, rather than having Docker load another operating system. The /bin/bash argument means that the bash shell runs in the helper container, presenting a shell prompt that you can use to modify files as needed.

To start and stop the container, run the following commands:

# docker start mynginx4_files# docker stop mynginx4_files

To exit the shell but leave the container running, press Ctrl+p followed by Ctrl+q. To regain shell access to a running container, run this command:

# docker attach mynginx4_files

To exit the shell and terminate the container, run the exit command.

Managing Logging

You can configure either default or customized logging.

Using Default Logging

The NGINX image is configured to send the main NGINX access and error logs to the Docker log collector by default. This is done by linking them to stdout and stderr respectively; all messages from both logs are then written to the file /var/lib/docker/containers/container-ID/container-ID-json.log on the Docker host, where container‑ID is the long‑form ID returned when you create a container. For the initial container we created in Using the NGINX Open Source Docker Image, for example, it is fcd1fb01b14557c7c9d991238f2558ae2704d129cf9fb97bb4fadf673a58580d.

To retrieve the container ID for an existing container, run this command, where container‑name is the value set by the --name parameter when the container is created (for the container ID above, for example, it is mynginx1):

# docker inspect --format '{{ .Id }}' container-name

Although you can view the logs by opening the container-ID-json.log file directly, it is usually easier to run this command:

# docker logs container-name

You can use also the Docker Engine API to extract the log messages, by issuing a GET request against the Docker Unix socket. This command returns both the access log (represented by stdout=1) and the error log (stderr=1), but you can request them singly as well:

curl --unix-socket /var/run/docker-sock http://localhost/containers/container-name/logs?stdout=1&stderr=1

To learn about other query parameters, see the Docker Engine API documentation (search for “Get container logs” on that page).

Using Customized Logging

If you want to implement another method of log collection, or if you want to configure logging differently in certain configuration blocks (such as server{} and location{}), define a Docker volume for the directory or directories in which to store the log files in the container, create a helper container to access the log files, and use whatever logging tools you like. To implement this, create a new image that contains the volume or volumes for the logging files.

For example, to configure NGINX to store log files in /var/log/nginx/log, we can start with the Dockerfile from Option 3 and simply add a VOLUME definition for this directory:

FROM nginxRUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
VOLUME /var/log/nginx/log

We can then create an image as described above and use it to create an NGINX container and a helper container that have access to the logging directory. The helper container can have any desired logging tools installed.

Controlling NGINX

Since we do not have direct access to the command line of the NGINX container, we cannot use the nginx command to control NGINX. Fortunately we can use signals to control NGINX, and Docker provides the kill command for sending signals to a container.

To reload the NGINX configuration, run this command:

# docker kill -s HUP container-name

To restart NGINX, run this command to restart the container:

# docker restart container-name

Deploying NGINX Plus with Docker

So far we have discussed Docker for NGINX Open Source, but you can also use it with the commercial product, NGINX Plus. The difference is you first need to create an NGINX Plus image, because as a commercial offering NGINX Plus is not available at Docker Hub. Fortunately, this is quite easy to do.

Note: Never upload your NGINX Plus images to a public repository such as Docker Hub. Doing so violates your license agreement.

Creating a Docker Image of NGINX Plus

To generate an NGINX Plus image, first create a Dockerfile. The examples we provide here use Alpine Linux 3.14 and Debian 11 (Bullseye) as the base Docker images. Before you can create the NGINX Plus Docker image, you have to download your version of the nginx-repo.crt and nginx-repo.key files. NGINX Plus customers can find them at the customer portal; if you are doing a free trial of NGINX Plus, they were provided with your trial package. Copy the files to the directory where the Dockerfile is located (the Docker build context).

As with NGINX Open Source, by default the NGINX Plus access and error logs are linked to the Docker log collector. No volumes are specified, but you can add them if desired, or each Dockerfile can be used to create base images from which you can create new images with volumes specified, as described previously.

We purposely do not specify an NGINX Plus version in the sample Dockerfiles, so that you don’t have to edit the file when you update to a new release of NGINX Plus. We have, however, included commented versions of the relevant instructions for you to uncomment if you want to make the file version‑specific.

Similarly, we’ve included instructions (commented out) that install official dynamic modules for NGINX Plus.

By default, no files are copied from the Docker host as a container is created. You can add COPY definitions to each Dockerfile, or the image you create can be used as the basis for another image as described above.

NGINX Plus Dockerfile (Debian 11)

NGINX Plus Dockerfile (Alpine Linux 3.14)

Creating the NGINX Plus Image

With the Dockerfile, nginx-repo.crt, and nginx-repo.key files in the same directory, run the following command there to create a Docker image called nginxplus (as before, note the final period):

# DOCKER_BUILDKIT=1 docker build --no-cache -t nginxplus --secret id=nginx-crt,src=your_cert_file --secret id=nginx-key,src=your_key_file .

The DOCKER_BUILDKIT=1 flag indicates that we are using Docker BuildKit to build the image, as required when including the --secret option which is discussed below.

The --no-cache option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus. If the Dockerfile was previously used to build an image and you do not include the --no-cache option, the new image uses the version of NGINX Plus from the Docker cache. (As noted, we purposely do not specify an NGINX Plus version in the Dockerfile so that the file does not need to change at every new release of NGINX Plus.) Omit the --no-cache option if it’s acceptable to use the NGINX Plus version from the previously built image.

The --secret option passes the certificate and key for your NGINX Plus license to the Docker build context without risking exposing the data or having the data persist between Docker build layers. The values of the id arguments cannot be changed without altering the base Dockerfile, but you need to set the src arguments to the path to your NGINX Plus certificate and key files (the same directory where you are building the Docker image if you followed the previous instructions).

Output like the following from the docker images nginxplus command indicates that the image was created successfully:

# docker images nginxplus
nginxplus   latest  ef2bf65931cf  6 seconds ago  91.2 MB

To create a container named mynginxplus based on this image, run this command:

# docker run --name mynginxplus -p 80:80 -d nginxplus

You can control and manage NGINX Plus containers in the same way as NGINX Open Source containers.


NGINX, NGINX Plus, and Docker work extremely well together. Whether you use the NGINX Open Source image from Docker Hub or create your own NGINX Plus image, you can easily spin up new instances of NGINX and NGINX Plus in Docker containers and deploy them in your Kubernetes environment. You can also easily create new Docker images from the base images, making your containers even easier to control and manage. Make sure that all NGINX Plus instances running in your Docker containers are covered by your subscription. For details, please contact the NGINX sales team.

There is much more to Docker than we have been able to cover in this article. For more information, download our free O’Reilly eBook – Container Networking: From Docker to Kubernetes – or check out

Related Documentation

Deploying NGINX and NGINX Plus on Docker

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"