use a non root user to start nginx

author: Jan Friedli 2020-03-28 13:45:19 +0100
committer: Jan Friedli 2020-05-09 21:16:09 +0200
commit: 40d4fdad9e8ce5872adf18100196fa77044642c1 (patch)
tree: 4028f88ecb40d7ad5c50a7eed5434f4355d3e682
parent: 853ace7d83424f85d903f6ffe2352bf41f86b7ce (diff)
3 files changed, 113 insertions, 21 deletions
diff --git a/Dockerfile.production b/Dockerfile.production
index 604adae..5c70c4c 100644
--- a/Dockerfile.production
+++ b/Dockerfile.production
@@ -1,23 +1,46 @@
+# https://github.com/nginxinc/docker-nginx-unprivileged/blob/master/stable/buster/Dockerfile
 From debian:buster-slim
+LABEL maintainer="Mat-Web Maintainer <jan.friedli@immerda.ch>"
 WORKDIR /var/www/mat2-web
 COPY . /var/www/mat2-web
-RUN apt-get update \
-&&  apt-get install --no-install-recommends --no-install-suggests --yes \
-    systemd \
-    mat2 \
-    uwsgi \
-    uwsgi-plugin-python3 \
-    nginx-light \
-    python3-pip \
-    python3-setuptools \
-    python3-wheel \
-&&  rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
-&&  pip3 install -r requirements.txt \
-&&  mkdir ./uploads \
-&&  chown -R www-data:www-data . \
-&&  cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
-&&  rm /etc/nginx/sites-enabled/default \
-&&  mkdir -p /etc/nginx/sites-enabled/ \
-&&  cp ./config/nginx.config /etc/nginx/sites-enabled/mat2.conf
-CMD ["sh", "-c", "/etc/init.d/nginx restart; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini"]
-\ No newline at end of file
+RUN set -x \
+    && addgroup --system --gid 101 nginx \
+    && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+        gnupg1  \
+        ca-certificates \
+        nginx \
+        gettext-base \
+        systemd \
+        mat2 \
+        uwsgi \
+        uwsgi-plugin-python3 \
+        python3-pip \
+        python3-setuptools \
+        python3-wheel \
+    && pip3 install -r requirements.txt \
+    && rm /etc/nginx/sites-enabled/default /etc/nginx/nginx.conf \
+    && cp ./config/nginx-default.conf /etc/nginx/sites-enabled/default \
+    && cp ./config/nginx.conf /etc/nginx/nginx.conf \
+    && cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
+    && chown 101:101 /etc/uwsgi/apps-enabled/mat2-web.ini \
+    &&  mkdir -p /var/cache/nginx \
+    && chown -R 101:0 /var/cache/nginx \
+    && chmod -R g+w /var/cache/nginx \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
+    &&  mkdir ./uploads \
+    &&  chown -R nginx:nginx .
+STOPSIGNAL SIGTERM
+USER 101
+CMD ["sh", "-c", "nginx; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini;"]
+\ No newline at end of file
diff --git a/config/nginx.config b/config/nginx-default.conf
index b519ee7..fd3e2f1 100644
--- a/config/nginx.config
+++ b/config/nginx-default.conf
@@ -1,7 +1,7 @@
 server {
        server_name _;
-        listen 80 default_server;
+        listen 8080 default_server;
-        listen [::]:80 default_server;
+        listen [::]:8080 default_server;
        client_max_body_size 20M;
        root /var/www/mat2-web;
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..3daac64
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,69 @@
+user nginx;
+worker_processes auto;
+pid /tmp/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        ##
+        # SSL Settings
+        ##
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+        ##
+        # Logging Settings
+        ##
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+                                proxy_temp_path /tmp/proxy_temp;
+                                client_body_temp_path /tmp/client_temp;
+                                fastcgi_temp_path /tmp/fastcgi_temp;
+                                uwsgi_temp_path /tmp/uwsgi_temp;
+                                scgi_temp_path /tmp/scgi_temp;
+}
author	Jan Friedli	2020-03-28 13:45:19 +0100
committer	Jan Friedli	2020-05-09 21:16:09 +0200
commit	40d4fdad9e8ce5872adf18100196fa77044642c1 (patch)
tree	4028f88ecb40d7ad5c50a7eed5434f4355d3e682
parent	853ace7d83424f85d903f6ffe2352bf41f86b7ce (diff)

diff --git a/Dockerfile.production b/Dockerfile.production index 604adae..5c70c4c 100644 --- a/Dockerfile.production +++ b/Dockerfile.production
@@ -1,23 +1,46 @@
		1	# https://github.com/nginxinc/docker-nginx-unprivileged/blob/master/stable/buster/Dockerfile
		2
1	From debian:buster-slim	3	From debian:buster-slim
		4
		5	LABEL maintainer="Mat-Web Maintainer <jan.friedli@immerda.ch>"
		6
2	WORKDIR /var/www/mat2-web	7	WORKDIR /var/www/mat2-web
		8
3	COPY . /var/www/mat2-web	9	COPY . /var/www/mat2-web
4	RUN apt-get update \
5	&& apt-get install --no-install-recommends --no-install-suggests --yes \
6	systemd \
7	mat2 \
8	uwsgi \
9	uwsgi-plugin-python3 \
10	nginx-light \
11	python3-pip \
12	python3-setuptools \
13	python3-wheel \
14	&& rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
15	&& pip3 install -r requirements.txt \
16	&& mkdir ./uploads \
17	&& chown -R www-data:www-data . \
18	&& cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
19	&& rm /etc/nginx/sites-enabled/default \
20	&& mkdir -p /etc/nginx/sites-enabled/ \
21	&& cp ./config/nginx.config /etc/nginx/sites-enabled/mat2.conf
22		10
23	CMD ["sh", "-c", "/etc/init.d/nginx restart; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini"] \ No newline at end of file	11	RUN set -x \
		12	&& addgroup --system --gid 101 nginx \
		13	&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
		14	&& apt-get update \
		15	&& apt-get install --no-install-recommends --no-install-suggests -y \
		16	gnupg1 \
		17	ca-certificates \
		18	nginx \
		19	gettext-base \
		20	systemd \
		21	mat2 \
		22	uwsgi \
		23	uwsgi-plugin-python3 \
		24	python3-pip \
		25	python3-setuptools \
		26	python3-wheel \
		27	&& pip3 install -r requirements.txt \
		28	&& rm /etc/nginx/sites-enabled/default /etc/nginx/nginx.conf \
		29	&& cp ./config/nginx-default.conf /etc/nginx/sites-enabled/default \
		30	&& cp ./config/nginx.conf /etc/nginx/nginx.conf \
		31	&& cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
		32	&& chown 101:101 /etc/uwsgi/apps-enabled/mat2-web.ini \
		33	&& mkdir -p /var/cache/nginx \
		34	&& chown -R 101:0 /var/cache/nginx \
		35	&& chmod -R g+w /var/cache/nginx \
		36	&& ln -sf /dev/stdout /var/log/nginx/access.log \
		37	&& ln -sf /dev/stderr /var/log/nginx/error.log \
		38	&& rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
		39	&& mkdir ./uploads \
		40	&& chown -R nginx:nginx .
		41
		42	STOPSIGNAL SIGTERM
		43
		44	USER 101
		45
		46	CMD ["sh", "-c", "nginx; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini;"] \ No newline at end of file


diff --git a/config/nginx.config b/config/nginx-default.conf index b519ee7..fd3e2f1 100644 --- a/config/nginx.config +++ b/config/nginx-default.conf
@@ -1,7 +1,7 @@
1	server {	1	server {
2	server_name _;	2	server_name _;
3	listen 80 default_server;	3	listen 8080 default_server;
4	listen [::]:80 default_server;	4	listen [::]:8080 default_server;
5	client_max_body_size 20M;	5	client_max_body_size 20M;
6		6
7	root /var/www/mat2-web;	7	root /var/www/mat2-web;


diff --git a/config/nginx.conf b/config/nginx.conf new file mode 100644 index 0000000..3daac64 --- /dev/null +++ b/config/nginx.conf
@@ -0,0 +1,69 @@
		1	user nginx;
		2	worker_processes auto;
		3	pid /tmp/nginx.pid;
		4	include /etc/nginx/modules-enabled/*.conf;
		5
		6	events {
		7	worker_connections 768;
		8	# multi_accept on;
		9	}
		10
		11	http {
		12
		13	##
		14	# Basic Settings
		15	##
		16
		17	sendfile on;
		18	tcp_nopush on;
		19	tcp_nodelay on;
		20	keepalive_timeout 65;
		21	types_hash_max_size 2048;
		22	# server_tokens off;
		23
		24	# server_names_hash_bucket_size 64;
		25	# server_name_in_redirect off;
		26
		27	include /etc/nginx/mime.types;
		28	default_type application/octet-stream;
		29
		30	##
		31	# SSL Settings
		32	##
		33
		34	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
		35	ssl_prefer_server_ciphers on;
		36
		37	##
		38	# Logging Settings
		39	##
		40
		41	access_log /var/log/nginx/access.log;
		42	error_log /var/log/nginx/error.log;
		43
		44	##
		45	# Gzip Settings
		46	##
		47
		48	gzip on;
		49
		50	# gzip_vary on;
		51	# gzip_proxied any;
		52	# gzip_comp_level 6;
		53	# gzip_buffers 16 8k;
		54	# gzip_http_version 1.1;
		55	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
		56
		57	##
		58	# Virtual Host Configs
		59	##
		60
		61	include /etc/nginx/conf.d/*.conf;
		62	include /etc/nginx/sites-enabled/*;
		63
		64	proxy_temp_path /tmp/proxy_temp;
		65	client_body_temp_path /tmp/client_temp;
		66	fastcgi_temp_path /tmp/fastcgi_temp;
		67	uwsgi_temp_path /tmp/uwsgi_temp;
		68	scgi_temp_path /tmp/scgi_temp;
		69	}