I am investigating FIPS compliance for our platform. nginx is one of the components and we use nginx 1.15.1. I found the documentation about nginx plus being FIPS compliant.
When NGINX Plus is executed on an operating system where a FIPS‑validated OpenSSL cryptographic module is present and FIPS mode is enabled, NGINX Plus is compliant with FIPS 140-2 with respect to the decryption and encryption of SSL/TLS and HTTP/2 traffic.
https://docs.nginx.com/nginx/fips-compliance-nginx-plus/
Does this apply to open source nginx as well? I did not find any documentation for the open source version. I have posted the query in nginx forum as well but checking it here as well in case folks have already done FIPS compliance with the open source version.
According to this blog post, it's not a "No" but more of a "We can't be sure" (emphasis mine):
NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS‑enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source...
They can't make claims for the OS you compile on or the flags that you use to build. There's a lot going on in an OpenSSL build.
https://wiki.openssl.org/index.php/Compilation_and_Installation
And any deviation from the "trusted path" or "validated" build steps may invalidate your installation.