Run as non-root user

Signed-off-by: Tamal Saha <tamal@appscode.com>
appscode · Jan 25, 2025 · 8be5890 · 8be5890
1 parent 44a62c9
commit 8be5890
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,6 +3,10 @@ FROM nginx:stable-alpine
 ARG TARGETOS
 ARG TARGETARCH
 
+# https://stackoverflow.com/a/47656569
+# https://itnext.io/nginx-docker-and-environment-variables-9753dfb5d41
+COPY default.conf /etc/nginx/conf.d/default.conf
+
 RUN set -x \
 	&& apk add --update ca-certificates curl
 
@@ -12,5 +16,24 @@ WORKDIR /usr/share/nginx/html
 # Copy HTML from previous build into the Workdir.
 COPY public .
 
-# Expose port 80
-EXPOSE 80/tcp
+# https://www.rockyourcode.com/run-docker-nginx-as-non-root-user/
+# https://docs.openshift.com/container-platform/4.17/openshift_images/create-images.html#use-uid_create-images
+## add permissions
+RUN chown -R nginx:root /usr/share/nginx/html \
+  && chmod -R 775 /usr/share/nginx/html \
+  && chown -R nginx:root /var/cache/nginx \
+  && chmod -R g=u /var/cache/nginx \
+  && chown -R nginx:root /var/log/nginx \
+  && chmod -R g=u /var/log/nginx \
+  && chown -R nginx:root /etc/nginx/conf.d \
+  && chmod -R g=u /etc/nginx/conf.d
+
+RUN touch /var/run/nginx.pid \
+  && chown -R nginx:root /var/run/nginx.pid \
+  && chmod -R g=u /var/run/nginx.pid
+
+## switch to non-root user nginx
+USER 101
+
+EXPOSE 8080
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/default.conf b/default.conf
@@ -0,0 +1,43 @@
+server {
+    listen       8080;
+    server_name  localhost;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    #location ~ \.php$ {
+    #    root           html;
+    #    fastcgi_pass   127.0.0.1:9000;
+    #    fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+    #    include        fastcgi_params;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}