Ensure that web application is not run by root
This commit is contained in:
parent
cba3e70511
commit
8103558f8d
|
@ -1,6 +1,7 @@
|
|||
# docker files
|
||||
Dockerfile
|
||||
docker-compose.yml
|
||||
.env
|
||||
|
||||
# git files
|
||||
branches
|
||||
|
|
38
Dockerfile
38
Dockerfile
|
@ -1,18 +1,44 @@
|
|||
# build stage
|
||||
FROM node:lts-alpine as build-stage
|
||||
# BUILD STAGE
|
||||
FROM node:22.1.0-alpine3.19 as build-stage
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# add files that describe which dependencies are required
|
||||
COPY package*.json ./
|
||||
|
||||
# install dependencies required to build the web application
|
||||
RUN npm install
|
||||
|
||||
# add resources required to build the web application
|
||||
COPY . .
|
||||
|
||||
# build the web application
|
||||
RUN npm run build
|
||||
|
||||
# production stage
|
||||
FROM nginx:stable-alpine as production-stage
|
||||
COPY --from=build-stage /app/dist /usr/share/nginx/html
|
||||
|
||||
# PRODUCTION STAGE
|
||||
FROM nginx:1.26.0-alpine3.19 as production-stage
|
||||
|
||||
# use custom error code websites instead
|
||||
RUN rm -f /usr/share/nginx/html/50x.html
|
||||
|
||||
# update default.conf nginx file with necessary try_files statement
|
||||
RUN rm -f /etc/nginx/conf.d/default.conf
|
||||
COPY ./default.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
# enable the nginx user to be able to launch the web application, so root is not required
|
||||
RUN touch /var/run/nginx.pid && \
|
||||
chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
|
||||
USER nginx
|
||||
COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
# add the previously built web application
|
||||
COPY --chown=www-data:www-data --from=build-stage /app/dist /usr/share/nginx/html
|
||||
|
||||
EXPOSE 80
|
||||
|
||||
# check every minute whether the website is still locally reachable; if not, the docker process displays "unhealthy"
|
||||
HEALTHCHECK --interval=1m CMD wget --no-verbose --tries=1 http://localhost:80 -q -O /dev/null || exit 1
|
||||
|
||||
# runs nginx in the foreground which means the docker container only runs as long as nginx is running (good practice)
|
||||
CMD ["nginx", "-g", "daemon off;"]
|
|
@ -1,3 +1,5 @@
|
|||
# openvisor-website/docker-compose.yml
|
||||
# https://git.openvisor.ch/OpenVisor/OpenVisor-Website
|
||||
networks:
|
||||
openvisorwebsite-network:
|
||||
name: openvisorwebsite-network
|
||||
|
@ -9,7 +11,10 @@ services:
|
|||
openvisorwebsite-app:
|
||||
container_name: openvisorwebsite-app
|
||||
build: .
|
||||
# ensure that web application is not run by root
|
||||
user: nginx:nginx
|
||||
ports:
|
||||
- 1443:80
|
||||
networks:
|
||||
- openvisorwebsite-network
|
||||
- openvisorwebsite-network
|
||||
|
Loading…
Reference in a new issue