From 40d4fdad9e8ce5872adf18100196fa77044642c1 Mon Sep 17 00:00:00 2001
From: Jan Friedli
Date: Sat, 28 Mar 2020 13:45:19 +0100
Subject: use a non root user to start nginx

---
 Dockerfile.production | 63 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 20 deletions(-)

(limited to 'Dockerfile.production')

diff --git a/Dockerfile.production b/Dockerfile.production
index 604adae..5c70c4c 100644
--- a/Dockerfile.production
+++ b/Dockerfile.production
@@ -1,23 +1,46 @@
+# https://github.com/nginxinc/docker-nginx-unprivileged/blob/master/stable/buster/Dockerfile
+
 From debian:buster-slim
+
+LABEL maintainer="Mat-Web Maintainer <jan.friedli@immerda.ch>"
+
 WORKDIR /var/www/mat2-web
+
 COPY . /var/www/mat2-web
-RUN apt-get update \
-&&  apt-get install --no-install-recommends --no-install-suggests --yes \
-    systemd \
-    mat2 \
-    uwsgi \
-    uwsgi-plugin-python3 \
-    nginx-light \
-    python3-pip \
-    python3-setuptools \
-    python3-wheel \
-&&  rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
-&&  pip3 install -r requirements.txt \
-&&  mkdir ./uploads \
-&&  chown -R www-data:www-data . \
-&&  cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
-&&  rm /etc/nginx/sites-enabled/default \
-&&  mkdir -p /etc/nginx/sites-enabled/ \
-&&  cp ./config/nginx.config /etc/nginx/sites-enabled/mat2.conf
-
-CMD ["sh", "-c", "/etc/init.d/nginx restart; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini"]
\ No newline at end of file
+
+RUN set -x \
+    && addgroup --system --gid 101 nginx \
+    && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+        gnupg1  \
+        ca-certificates \
+        nginx \
+        gettext-base \
+        systemd \
+        mat2 \
+        uwsgi \
+        uwsgi-plugin-python3 \
+        python3-pip \
+        python3-setuptools \
+        python3-wheel \
+    && pip3 install -r requirements.txt \
+    && rm /etc/nginx/sites-enabled/default /etc/nginx/nginx.conf \
+    && cp ./config/nginx-default.conf /etc/nginx/sites-enabled/default \
+    && cp ./config/nginx.conf /etc/nginx/nginx.conf \
+    && cp ./config/uwsgi.config /etc/uwsgi/apps-enabled/mat2-web.ini \
+    && chown 101:101 /etc/uwsgi/apps-enabled/mat2-web.ini \
+    &&  mkdir -p /var/cache/nginx \
+    && chown -R 101:0 /var/cache/nginx \
+    && chmod -R g+w /var/cache/nginx \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && rm -rf /var/cache/apt/* /var/lib/apt/lists/* \
+    &&  mkdir ./uploads \
+    &&  chown -R nginx:nginx .
+
+STOPSIGNAL SIGTERM
+
+USER 101
+
+CMD ["sh", "-c", "nginx; uwsgi --ini /etc/uwsgi/apps-enabled/mat2-web.ini;"]
\ No newline at end of file
-- 
cgit v1.3