feature(DOCKERFILE): set up nginx to run as non-root

- add libcap - use setcap (via libcap) to allow nginx to bind to ports <1024 - set permissions on nginx directories - change nginx pid location to /etc/nginx
2021-01-07 10:06:17 -07:00 · 2021-01-07 10:06:17 -07:00 · 715ae9cd38
parent 53ea4c9dc1
commit 715ae9cd38
2 changed files with 15 additions and 12 deletions
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -1,6 +1,6 @@
 FROM nginx:mainline-alpine

-# default username and uid for nginx user
+# default uid for nginx user
 ARG UID=8001

 # create nginx user
@ -14,8 +14,10 @@ RUN addgroup --gid ${UID} www-docker \
        --uid ${UID} \
        www-docker

-# add nano, fun error pages & LetsEncrypt challenge directory outside webroot
-RUN cd /usr/share/nginx \
+# add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot
+RUN apk --no-cache add libcap \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && cd /usr/share/nginx \
    && rm -rf html/* \
    && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \
    && tar -xzf /tmp/errorpages.tar.gz -C /tmp \
@ -47,12 +49,14 @@ COPY webroot /usr/share/nginx/html/
 EXPOSE 80 443

 # clean-up permissions and run as www-docker user
-RUN chown -R www-docker:www-docker /usr/share/nginx/html \
-    && find /usr/share/nginx/html -type d -exec chmod 775 {} \; \
-    && find /usr/share/nginx/html -type f -exec chmod 664 {} \; \
+RUN chown -R www-docker:www-docker /usr/share/nginx \
+    && find /usr/share/nginx -type d -exec chmod 755 {} \; \
+    && find /usr/share/nginx -type f -exec chmod 644 {} \; \
    && chown -R www-docker:www-docker /etc/nginx \
-    && find /etc/nginx -type d -exec chmod 770 {} \; \
-    && find /etc/nginx -type f -exec chmod 660 {} \;
+    && find /etc/nginx -type d -exec chmod 750 {} \; \
+    && find /etc/nginx -type f -exec chmod 640 {} \;
+    && chown www-docker:www-docker /var/cache/nginx \
+    && chown www-docker:www-docker /var/log/nginx
 USER www-docker

 # default environment variables
--- a/build/config/nginx.conf
+++ b/build/config/nginx.conf
@ -2,9 +2,8 @@
 ### NGINX main configuration
 #

-user www-docker;
 worker_processes 1;
-pid /var/run/nginx.pid;
+pid /etc/nginx/nginx.pid;

 error_log /var/log/nginx/error.log warn;

@ -12,13 +11,13 @@ error_log /var/log/nginx/error.log warn;
 include /etc/nginx/modules/*.conf;

 events {
-    worker_connections 512;
+    worker_connections 1024;
    multi_accept off;
    use epoll;
 }

 http {
-    server_names_hash_bucket_size 512;
+    server_names_hash_bucket_size 128;
    default_type application/octet-stream;
    charset utf-8;
    include /etc/nginx/mime.types;