OpenVisor/OpenVisor-Website
OpenVisor/OpenVisor-Website
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Ensure that web application is not run by root

Browse source
This commit is contained in:
OpenVisor 2024-05-03 23:15:21 +02:00
parent cba3e70511
commit 8103558f8d
3 changed files with 39 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.dockerignore
View file

@ -1,6 +1,7 @@
# docker files # docker files
Dockerfile Dockerfile
docker-compose.yml docker-compose.yml
.env
# git files # git files
branches branches

38
Dockerfile
View file

@ -1,18 +1,44 @@
# build stage # BUILD STAGE
FROM node:lts-alpine as build-stage FROM node:22.1.0-alpine3.19 as build-stage
WORKDIR /app WORKDIR /app
# add files that describe which dependencies are required
COPY package*.json ./ COPY package*.json ./
# install dependencies required to build the web application
RUN npm install RUN npm install
# add resources required to build the web application
COPY . . COPY . .
# build the web application
RUN npm run build RUN npm run build
# production stage
FROM nginx:stable-alpine as production-stage # PRODUCTION STAGE
COPY --from=build-stage /app/dist /usr/share/nginx/html FROM nginx:1.26.0-alpine3.19 as production-stage
# use custom error code websites instead # use custom error code websites instead
RUN rm -f /usr/share/nginx/html/50x.html RUN rm -f /usr/share/nginx/html/50x.html
# update default.conf nginx file with necessary try_files statement # update default.conf nginx file with necessary try_files statement
RUN rm -f /etc/nginx/conf.d/default.conf RUN rm -f /etc/nginx/conf.d/default.conf
COPY ./default.conf /etc/nginx/conf.d/default.conf COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
# enable the nginx user to be able to launch the web application, so root is not required
RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
USER nginx
COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
# add the previously built web application
COPY --chown=www-data:www-data --from=build-stage /app/dist /usr/share/nginx/html
EXPOSE 80 EXPOSE 80
# check every minute whether the website is still locally reachable; if not, the docker process displays "unhealthy"
HEALTHCHECK --interval=1m CMD wget --no-verbose --tries=1 http://localhost:80 -q -O /dev/null || exit 1
# runs nginx in the foreground which means the docker container only runs as long as nginx is running (good practice)
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

5
docker-compose.yml
View file

@ -1,3 +1,5 @@
# openvisor-website/docker-compose.yml
# https://git.openvisor.ch/OpenVisor/OpenVisor-Website
networks: networks:
openvisorwebsite-network: openvisorwebsite-network:
name: openvisorwebsite-network name: openvisorwebsite-network
@ -9,7 +11,10 @@ services:
openvisorwebsite-app: openvisorwebsite-app:
container_name: openvisorwebsite-app container_name: openvisorwebsite-app
build: . build: .
# ensure that web application is not run by root
user: nginx:nginx
ports: ports:
- 1443:80 - 1443:80
networks: networks:
- openvisorwebsite-network - openvisorwebsite-network