diff --git a/docker-compose.yml b/docker-compose.yml index d119245..6399a63 100755 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -55,11 +55,13 @@ services: web: build: web ports: - - "80:80" - - "443:443" + - "80:8080" + - "443:8443" read_only: true restart: unless-stopped volumes: # This directory must have cert files if you want to enable SSL - ./volumes/web/cert:/cert:ro - /etc/localtime:/etc/localtime:ro + cap_drop: + - ALL diff --git a/web/Dockerfile b/web/Dockerfile index a138e0c..979a961 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -1,17 +1,38 @@ -FROM nginx:mainline-alpine +FROM nginxinc/nginx-unprivileged:mainline-alpine + +USER root # Remove default configuration and add our custom Nginx configuration files RUN rm /etc/nginx/conf.d/default.conf \ && apk add --no-cache curl COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"] -COPY ./security.conf /etc/nginx/conf.d/ # Add and setup entrypoint COPY entrypoint.sh / +RUN chown -R nginx:nginx /etc/nginx/sites-available && \ + chown -R nginx:nginx /var/cache/nginx && \ + chown -R nginx:nginx /var/log/nginx && \ + chown -R nginx:nginx /etc/nginx/conf.d && \ + chown nginx:nginx entrypoint.sh +RUN touch /var/run/nginx.pid && \ + chown -R nginx:nginx /var/run/nginx.pid + +COPY ./security.conf /etc/nginx/conf.d/ + +RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf + +RUN chmod u+x /entrypoint.sh + +RUN sed -i "/^http {/a \ proxy_buffering off;\n" /etc/nginx/nginx.conf +RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \ + && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf + +USER nginx + #Healthcheck to make sure container is ready -HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1 +HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1 ENTRYPOINT ["/entrypoint.sh"] diff --git a/web/mattermost b/web/mattermost index ac301ae..257e703 100644 --- a/web/mattermost +++ b/web/mattermost @@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto { } server { - listen 80; + listen 8080; location ~ /api/v[0-9]+/(users/)?websocket$ { proxy_set_header Upgrade $http_upgrade; diff --git a/web/mattermost-ssl b/web/mattermost-ssl index 5ded639..29ae0e5 100755 --- a/web/mattermost-ssl +++ b/web/mattermost-ssl @@ -1,5 +1,5 @@ server { - listen 80 default_server; + listen 8080 default_server; server_name _; return 301 https://$host$request_uri; } @@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto { } server { - listen 443 ssl http2; + listen 8443 ssl http2; ssl_certificate /cert/cert.pem; ssl_certificate_key /cert/key-no-password.pem;