From c3ecd245bec2fab3e265b9178455111a249ce5a1 Mon Sep 17 00:00:00 2001
From: voima-eetu <66011005+voima-eetu@users.noreply.github.com>
Date: Wed, 5 May 2021 10:05:09 +0300
Subject: [PATCH] Change nginx container to unprivileged (#525)

---
 docker-compose.yml |  6 ++++--
 web/Dockerfile     | 27 ++++++++++++++++++++++++---
 web/mattermost     |  2 +-
 web/mattermost-ssl |  4 ++--
 4 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d119245..6399a63 100755
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -55,11 +55,13 @@ services:
   web:
     build: web
     ports:
-      - "80:80"
-      - "443:443"
+      - "80:8080"
+      - "443:8443"
     read_only: true
     restart: unless-stopped
     volumes:
       # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
+    cap_drop:
+      - ALL
diff --git a/web/Dockerfile b/web/Dockerfile
index a138e0c..979a961 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,17 +1,38 @@
-FROM nginx:mainline-alpine
+FROM nginxinc/nginx-unprivileged:mainline-alpine
+
+USER root
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
     && apk add --no-cache curl
 
 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
-COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /
 
+RUN chown -R nginx:nginx /etc/nginx/sites-available && \
+         chown -R nginx:nginx /var/cache/nginx && \
+         chown -R nginx:nginx /var/log/nginx && \
+         chown -R nginx:nginx /etc/nginx/conf.d && \
+         chown nginx:nginx entrypoint.sh
+RUN touch /var/run/nginx.pid && \
+         chown -R nginx:nginx /var/run/nginx.pid
+
+COPY ./security.conf /etc/nginx/conf.d/
+
+RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
+
+RUN chmod u+x /entrypoint.sh
+
+RUN sed -i "/^http {/a \    proxy_buffering off;\n" /etc/nginx/nginx.conf
+RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
+    && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
+
+USER nginx
+
 #Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
 
diff --git a/web/mattermost b/web/mattermost
index ac301ae..257e703 100644
--- a/web/mattermost
+++ b/web/mattermost
@@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 80;
+    listen 8080;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;
diff --git a/web/mattermost-ssl b/web/mattermost-ssl
index 5ded639..29ae0e5 100755
--- a/web/mattermost-ssl
+++ b/web/mattermost-ssl
@@ -1,5 +1,5 @@
 server {
-    listen 80 default_server;
+    listen 8080 default_server;
     server_name _;
     return 301 https://$host$request_uri;
 }
@@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 8443 ssl http2;
 
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;