Ensure that web application is not run by root
This commit is contained in:
parent
cba3e70511
commit
8103558f8d
|
@ -1,6 +1,7 @@
|
||||||
# docker files
|
# docker files
|
||||||
Dockerfile
|
Dockerfile
|
||||||
docker-compose.yml
|
docker-compose.yml
|
||||||
|
.env
|
||||||
|
|
||||||
# git files
|
# git files
|
||||||
branches
|
branches
|
||||||
|
|
38
Dockerfile
38
Dockerfile
|
@ -1,18 +1,44 @@
|
||||||
# build stage
|
# BUILD STAGE
|
||||||
FROM node:lts-alpine as build-stage
|
FROM node:22.1.0-alpine3.19 as build-stage
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
|
# add files that describe which dependencies are required
|
||||||
COPY package*.json ./
|
COPY package*.json ./
|
||||||
|
|
||||||
|
# install dependencies required to build the web application
|
||||||
RUN npm install
|
RUN npm install
|
||||||
|
|
||||||
|
# add resources required to build the web application
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
|
# build the web application
|
||||||
RUN npm run build
|
RUN npm run build
|
||||||
|
|
||||||
# production stage
|
|
||||||
FROM nginx:stable-alpine as production-stage
|
# PRODUCTION STAGE
|
||||||
COPY --from=build-stage /app/dist /usr/share/nginx/html
|
FROM nginx:1.26.0-alpine3.19 as production-stage
|
||||||
|
|
||||||
# use custom error code websites instead
|
# use custom error code websites instead
|
||||||
RUN rm -f /usr/share/nginx/html/50x.html
|
RUN rm -f /usr/share/nginx/html/50x.html
|
||||||
|
|
||||||
# update default.conf nginx file with necessary try_files statement
|
# update default.conf nginx file with necessary try_files statement
|
||||||
RUN rm -f /etc/nginx/conf.d/default.conf
|
RUN rm -f /etc/nginx/conf.d/default.conf
|
||||||
COPY ./default.conf /etc/nginx/conf.d/default.conf
|
COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
|
||||||
|
|
||||||
|
# enable the nginx user to be able to launch the web application, so root is not required
|
||||||
|
RUN touch /var/run/nginx.pid && \
|
||||||
|
chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
|
||||||
|
USER nginx
|
||||||
|
COPY --chown=nginx:nginx ./default.conf /etc/nginx/conf.d/default.conf
|
||||||
|
|
||||||
|
# add the previously built web application
|
||||||
|
COPY --chown=www-data:www-data --from=build-stage /app/dist /usr/share/nginx/html
|
||||||
|
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
|
|
||||||
|
# check every minute whether the website is still locally reachable; if not, the docker process displays "unhealthy"
|
||||||
|
HEALTHCHECK --interval=1m CMD wget --no-verbose --tries=1 http://localhost:80 -q -O /dev/null || exit 1
|
||||||
|
|
||||||
|
# runs nginx in the foreground which means the docker container only runs as long as nginx is running (good practice)
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
|
@ -1,3 +1,5 @@
|
||||||
|
# openvisor-website/docker-compose.yml
|
||||||
|
# https://git.openvisor.ch/OpenVisor/OpenVisor-Website
|
||||||
networks:
|
networks:
|
||||||
openvisorwebsite-network:
|
openvisorwebsite-network:
|
||||||
name: openvisorwebsite-network
|
name: openvisorwebsite-network
|
||||||
|
@ -9,7 +11,10 @@ services:
|
||||||
openvisorwebsite-app:
|
openvisorwebsite-app:
|
||||||
container_name: openvisorwebsite-app
|
container_name: openvisorwebsite-app
|
||||||
build: .
|
build: .
|
||||||
|
# ensure that web application is not run by root
|
||||||
|
user: nginx:nginx
|
||||||
ports:
|
ports:
|
||||||
- 1443:80
|
- 1443:80
|
||||||
networks:
|
networks:
|
||||||
- openvisorwebsite-network
|
- openvisorwebsite-network
|
||||||
|
|
Loading…
Reference in a new issue