Change nginx container to unprivileged (#525)

2021-05-05 10:05:09 +03:00 · 2021-05-05 10:05:09 +03:00 · c3ecd245be
commit c3ecd245be
parent 5b52f713bd
4 changed files with 31 additions and 8 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -55,11 +55,13 @@ services:
  web:
    build: web
    ports:
-      - "80:80"
-      - "443:443"
+      - "80:8080"
+      - "443:8443"
    read_only: true
    restart: unless-stopped
    volumes:
      # This directory must have cert files if you want to enable SSL
      - ./volumes/web/cert:/cert:ro
      - /etc/localtime:/etc/localtime:ro
+    cap_drop:
+      - ALL
--- a/web/Dockerfile
+++ b/web/Dockerfile
@ -1,17 +1,38 @@
-FROM nginx:mainline-alpine
+FROM nginxinc/nginx-unprivileged:mainline-alpine
+
+USER root

 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
    && apk add --no-cache curl

 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
-COPY ./security.conf /etc/nginx/conf.d/

 # Add and setup entrypoint
 COPY entrypoint.sh /

+RUN chown -R nginx:nginx /etc/nginx/sites-available && \
+         chown -R nginx:nginx /var/cache/nginx && \
+         chown -R nginx:nginx /var/log/nginx && \
+         chown -R nginx:nginx /etc/nginx/conf.d && \
+         chown nginx:nginx entrypoint.sh
+RUN touch /var/run/nginx.pid && \
+         chown -R nginx:nginx /var/run/nginx.pid
+
+COPY ./security.conf /etc/nginx/conf.d/
+
+RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
+
+RUN chmod u+x /entrypoint.sh
+
+RUN sed -i "/^http {/a \    proxy_buffering off;\n" /etc/nginx/nginx.conf
+RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
+    && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
+
+USER nginx
+
 #Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1

 ENTRYPOINT ["/entrypoint.sh"]

--- a/web/mattermost
+++ b/web/mattermost
@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }

 server {
-    listen 80;
+    listen 8080;

    location ~ /api/v[0-9]+/(users/)?websocket$ {
        proxy_set_header Upgrade $http_upgrade;
--- a/web/mattermost-ssl
+++ b/web/mattermost-ssl
@ -1,5 +1,5 @@
 server {
-    listen 80 default_server;
+    listen 8080 default_server;
    server_name _;
    return 301 https://$host$request_uri;
 }
@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }

 server {
-    listen 443 ssl http2;
+    listen 8443 ssl http2;

    ssl_certificate /cert/cert.pem;
    ssl_certificate_key /cert/key-no-password.pem;