Gnous/mattermost
Archived
2
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Change nginx container to unprivileged (#525)

Browse Source
This commit is contained in:
voima-eetu 2021-05-05 10:05:09 +03:00 committed by GitHub
parent 5b52f713bd
commit c3ecd245be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docker-compose.yml
View File

@ -55,11 +55,13 @@ services:
web: web:
build: web build: web
ports: ports:
- "80:80" - "80:8080"
- "443:443" - "443:8443"
read_only: true read_only: true
restart: unless-stopped restart: unless-stopped
volumes: volumes:
# This directory must have cert files if you want to enable SSL # This directory must have cert files if you want to enable SSL
- ./volumes/web/cert:/cert:ro - ./volumes/web/cert:/cert:ro
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
cap_drop:
- ALL

27
web/Dockerfile
View File

@ -1,17 +1,38 @@
FROM nginx:mainline-alpine FROM nginxinc/nginx-unprivileged:mainline-alpine
USER root
# Remove default configuration and add our custom Nginx configuration files # Remove default configuration and add our custom Nginx configuration files
RUN rm /etc/nginx/conf.d/default.conf \ RUN rm /etc/nginx/conf.d/default.conf \
&& apk add --no-cache curl && apk add --no-cache curl
COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"] COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
COPY ./security.conf /etc/nginx/conf.d/
# Add and setup entrypoint # Add and setup entrypoint
COPY entrypoint.sh / COPY entrypoint.sh /
RUN chown -R nginx:nginx /etc/nginx/sites-available && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /var/log/nginx && \
chown -R nginx:nginx /etc/nginx/conf.d && \
chown nginx:nginx entrypoint.sh
RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid
COPY ./security.conf /etc/nginx/conf.d/
RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
RUN chmod u+x /entrypoint.sh
RUN sed -i "/^http {/a \ proxy_buffering off;\n" /etc/nginx/nginx.conf
RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
&& sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
USER nginx
#Healthcheck to make sure container is ready #Healthcheck to make sure container is ready
HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1 HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
ENTRYPOINT ["/entrypoint.sh"] ENTRYPOINT ["/entrypoint.sh"]

2
web/mattermost
View File

@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
} }
server { server {
listen 80; listen 8080;
location ~ /api/v[0-9]+/(users/)?websocket$ { location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;

4
web/mattermost-ssl
View File

@ -1,5 +1,5 @@
server { server {
listen 80 default_server; listen 8080 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
} }
server { server {
listen 443 ssl http2; listen 8443 ssl http2;
ssl_certificate /cert/cert.pem; ssl_certificate /cert/cert.pem;
ssl_certificate_key /cert/key-no-password.pem; ssl_certificate_key /cert/key-no-password.pem;