From 8103558f8db0061289c5b4e1125572b9c2705afd Mon Sep 17 00:00:00 2001
From: OpenVisor <info@openvisor.ch>
Date: Fri, 3 May 2024 23:15:21 +0200
Subject: [PATCH] Ensure that web application is not run by root

---
 .dockerignore      |  1 +
 Dockerfile         | 38 ++++++++++++++++++++++++++++++++------
 docker-compose.yml |  7 ++++++-
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 143d67b..85edebf 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
 # docker files
 Dockerfile
 docker-compose.yml
+.env
 
 # git files
 branches
diff --git a/Dockerfile b/Dockerfile
index 6a91fcd..ad12d6c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,44 @@
-# build stage
-FROM node:lts-alpine as build-stage
+# BUILD STAGE
+FROM node:22.1.0-alpine3.19 as build-stage
+
 WORKDIR /app
+
+# add files that describe which dependencies are required
 COPY package*.json ./
+
+# install dependencies required to build the web application
 RUN npm install
+
+# add resources required to build the web application
 COPY . .
+
+# build the web application
 RUN npm run build
 
-# production stage
-FROM nginx:stable-alpine as production-stage
-COPY --from=build-stage /app/dist /usr/share/nginx/html
+
+# PRODUCTION STAGE
+FROM nginx:1.26.0-alpine3.19 as production-stage
+
 # use custom error code websites instead
 RUN rm -f /usr/share/nginx/html/50x.html
+
 # update default.conf nginx file with necessary try_files statement
 RUN rm -f /etc/nginx/conf.d/default.conf
-COPY ./default.conf /etc/nginx/conf.d/default.conf
+COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
+
+# enable the nginx user to be able to launch the web application, so root is not required
+RUN  touch /var/run/nginx.pid && \
+     chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
+USER nginx
+COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
+
+# add the previously built web application
+COPY --chown=www-data:www-data --from=build-stage /app/dist /usr/share/nginx/html
+
 EXPOSE 80
+
+# check every minute whether the website is still locally reachable; if not, the docker process displays "unhealthy"
+HEALTHCHECK --interval=1m CMD wget --no-verbose --tries=1 http://localhost:80 -q -O /dev/null || exit 1
+
+# runs nginx in the foreground which means the docker container only runs as long as nginx is running (good practice)
 CMD ["nginx", "-g", "daemon off;"]
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 18e6d43..4f00448 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,5 @@
+# openvisor-website/docker-compose.yml
+# https://git.openvisor.ch/OpenVisor/OpenVisor-Website
 networks:
   openvisorwebsite-network:
     name: openvisorwebsite-network
@@ -9,7 +11,10 @@ services:
   openvisorwebsite-app:
     container_name: openvisorwebsite-app
     build: .
+    # ensure that web application is not run by root
+    user: nginx:nginx
     ports:
       - 1443:80
     networks:
-      - openvisorwebsite-network
\ No newline at end of file
+      - openvisorwebsite-network
+      
\ No newline at end of file