From 715ae9cd380138b821a74603e52407ada2f0c0f2 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Thu, 7 Jan 2021 10:06:17 -0700 Subject: [PATCH] feature(DOCKERFILE): set up nginx to run as non-root - add libcap - use setcap (via libcap) to allow nginx to bind to ports <1024 - set permissions on nginx directories - change nginx pid location to /etc/nginx --- build/Dockerfile | 20 ++++++++++++-------- build/config/nginx.conf | 7 +++---- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 014d857..f469aca 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,6 +1,6 @@ FROM nginx:mainline-alpine -# default username and uid for nginx user +# default uid for nginx user ARG UID=8001 # create nginx user @@ -14,8 +14,10 @@ RUN addgroup --gid ${UID} www-docker \ --uid ${UID} \ www-docker -# add nano, fun error pages & LetsEncrypt challenge directory outside webroot -RUN cd /usr/share/nginx \ +# add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot +RUN apk --no-cache add libcap \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && cd /usr/share/nginx \ && rm -rf html/* \ && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \ && tar -xzf /tmp/errorpages.tar.gz -C /tmp \ @@ -47,12 +49,14 @@ COPY webroot /usr/share/nginx/html/ EXPOSE 80 443 # clean-up permissions and run as www-docker user -RUN chown -R www-docker:www-docker /usr/share/nginx/html \ - && find /usr/share/nginx/html -type d -exec chmod 775 {} \; \ - && find /usr/share/nginx/html -type f -exec chmod 664 {} \; \ +RUN chown -R www-docker:www-docker /usr/share/nginx \ + && find /usr/share/nginx -type d -exec chmod 755 {} \; \ + && find /usr/share/nginx -type f -exec chmod 644 {} \; \ && chown -R www-docker:www-docker /etc/nginx \ - && find /etc/nginx -type d -exec chmod 770 {} \; \ - && find /etc/nginx -type f -exec chmod 660 {} \; + && find /etc/nginx -type d -exec chmod 750 {} \; \ + && find /etc/nginx -type f -exec chmod 640 {} \; + && chown www-docker:www-docker /var/cache/nginx \ + && chown www-docker:www-docker /var/log/nginx USER www-docker # default environment variables diff --git a/build/config/nginx.conf b/build/config/nginx.conf index 498f741..871a8ea 100644 --- a/build/config/nginx.conf +++ b/build/config/nginx.conf @@ -2,9 +2,8 @@ ### NGINX main configuration # -user www-docker; worker_processes 1; -pid /var/run/nginx.pid; +pid /etc/nginx/nginx.pid; error_log /var/log/nginx/error.log warn; @@ -12,13 +11,13 @@ error_log /var/log/nginx/error.log warn; include /etc/nginx/modules/*.conf; events { - worker_connections 512; + worker_connections 1024; multi_accept off; use epoll; } http { - server_names_hash_bucket_size 512; + server_names_hash_bucket_size 128; default_type application/octet-stream; charset utf-8; include /etc/nginx/mime.types;