Hello,
There is obviously a number of different things you can add in and it'd be quite difficult to say which options will have unforeseen consequences. I suspect *most* of these are fine, but the true answer is to test. IMHO, you should familiarize yourself with openresty unit tests to ensure passing builds. Further, 'hardening' is a pretty subjective term and I think people have different ideas about what flags are important to them. If you have specific concerns, I think you should speak about those rather than adopting flags directly from other packages. For example, as of last I checked DWARF symbols are not stripped from the binary. These symbols are a pretty critical part of perf analysis and debugging, but some people may chose to strip them. That's ok to do, but it ties your hands if you ever need them.
Again, I think it's important to understand the task you're attempting. If there is a specific concern I really think you should work forwards towards addressing it as opposed to backing into a set of common flags. If security is a strong focus for you, my opinion is that there are two important attack vectors to cover.
1) System/user setup. Since nginx is not traditionally run as root, it's sort of up to the user to ensure the user/group permissions are not overly permissive. I can't speculate about your specific system so you should use your judgement.
2) If you're concerned about the integrity of the binary (despite this being an open source project where anyone can do their own code review before fuzzing), I highly recommend you explore static compilation. The short of it is all the hardening in the world won't help you if things like dynamically linked libraries are compromised. For example, in some systems (particularly older systems like fedora that support kmem... and some newer ones that don't support kmem but we wont get into it), it's possible to locate and subsequently patch (or hijack if you will) these functions. So trivial things like gethostbyname etc, can be 'shimmed' to execute malicious code almost completely external to the binary (in this case nginx) you've just hardened.
Please do not specify -02 yourself because it is added by the configure script and is user configurable. If a user does not specify this option, it will fall back to the default. The best place to understand which flags are supported, or have potentially conflicting defaults is the 'configure' perl script. It lives here
https://github.com/openresty/openresty/blob/master/util/configure
- Brandon