Skip to content

Commit

Permalink
Run nginx completely unprivileged in container
Browse files Browse the repository at this point in the history 
This switches the production Docker image to use the nginx-unprivileged
image as its base.  The original image would start nginx as root, while
nginx itself would drop privileges to the nginx user.

This updated workflow will ensure nothing is started as root at all when
the container starts.
  • Loading branch information
@lunkwill42
lunkwill42 committed Oct 23, 2024
1 parent f90dd59 commit 8a6bd17
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion docker/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,21 @@ RUN npm run build
# production environment consisting only of nginx and the statically compiled
# Argus Frontend application files produced by the build stage
# FROM: https://mherman.org/blog/dockerizing-a-react-app/
FROM nginx:stable-alpine
FROM ghcr.io/nginxinc/nginx-unprivileged:stable-alpine

COPY --from=build /app/build /usr/share/nginx/html

USER root
RUN apk add --update tini tree
COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
COPY docker/docker-entrypoint.sh /
COPY docker/runtime-config-template.json /

# Ensure the unprivileged nginx user can write Argus JS config
RUN chown nginx /usr/share/nginx/html

USER nginx

ENV REACT_APP_BACKEND_URL=http://fake
ENV REACT_APP_ENABLE_WEBSOCKETS_SUPPORT=true
ENV REACT_APP_BACKEND_WS_URL=ws://fake
Expand Down

0 comments on commit 8a6bd17

Please sign in to comment.