ab-docker
/
ab-nginx
1
0
Fork 0
Code Issues Pull Requests Releases 7 Wiki Activity

feature(DOCKERFILE): set up nginx to run as non-root 

- add libcap
- use setcap (via libcap) to allow nginx to bind to ports <1024
- set permissions on nginx directories
- change nginx pid location to /etc/nginx
This commit is contained in:
Asif Bacchus 2021-01-07 10:06:17 -07:00
parent 53ea4c9dc1
commit 715ae9cd38
2 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
build/Dockerfile
View File

@ -1,6 +1,6 @@
FROM nginx:mainline-alpine FROM nginx:mainline-alpine
# default username and uid for nginx user # default uid for nginx user
ARG UID=8001 ARG UID=8001
# create nginx user # create nginx user
@ -14,8 +14,10 @@ RUN addgroup --gid ${UID} www-docker \
--uid ${UID} \ --uid ${UID} \
www-docker www-docker
# add nano, fun error pages & LetsEncrypt challenge directory outside webroot # add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot
RUN cd /usr/share/nginx \ RUN apk --no-cache add libcap \
&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
&& cd /usr/share/nginx \
&& rm -rf html/* \ && rm -rf html/* \
&& wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \ && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \
&& tar -xzf /tmp/errorpages.tar.gz -C /tmp \ && tar -xzf /tmp/errorpages.tar.gz -C /tmp \
@ -47,12 +49,14 @@ COPY webroot /usr/share/nginx/html/
EXPOSE 80 443 EXPOSE 80 443
# clean-up permissions and run as www-docker user # clean-up permissions and run as www-docker user
RUN chown -R www-docker:www-docker /usr/share/nginx/html \ RUN chown -R www-docker:www-docker /usr/share/nginx \
&& find /usr/share/nginx/html -type d -exec chmod 775 {} \; \ && find /usr/share/nginx -type d -exec chmod 755 {} \; \
&& find /usr/share/nginx/html -type f -exec chmod 664 {} \; \ && find /usr/share/nginx -type f -exec chmod 644 {} \; \
&& chown -R www-docker:www-docker /etc/nginx \ && chown -R www-docker:www-docker /etc/nginx \
&& find /etc/nginx -type d -exec chmod 770 {} \; \ && find /etc/nginx -type d -exec chmod 750 {} \; \
&& find /etc/nginx -type f -exec chmod 660 {} \; && find /etc/nginx -type f -exec chmod 640 {} \;
&& chown www-docker:www-docker /var/cache/nginx \
&& chown www-docker:www-docker /var/log/nginx
USER www-docker USER www-docker
# default environment variables # default environment variables

7
build/config/nginx.conf
View File

@ -2,9 +2,8 @@
### NGINX main configuration ### NGINX main configuration
# #
user www-docker;
worker_processes 1; worker_processes 1;
pid /var/run/nginx.pid; pid /etc/nginx/nginx.pid;
error_log /var/log/nginx/error.log warn; error_log /var/log/nginx/error.log warn;
@ -12,13 +11,13 @@ error_log /var/log/nginx/error.log warn;
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
events { events {
worker_connections 512; worker_connections 1024;
multi_accept off; multi_accept off;
use epoll; use epoll;
} }
http { http {
server_names_hash_bucket_size 512; server_names_hash_bucket_size 128;
default_type application/octet-stream; default_type application/octet-stream;
charset utf-8; charset utf-8;
include /etc/nginx/mime.types; include /etc/nginx/mime.types;