feat: run nginx in non-privileged mode (#117)

yohanAnushka · web-flow · commit 8ac53ff190b9 · 2023-07-05T08:38:28.000+02:00
- Frontend UIs (nginx):
   - container is run as `nginx(101)` user and `nginx(101)` group.
   - ownership of below directories/files are given to `nginx` user and group.
     - `/usr/share/nginx`
     - `/etc/nginx`
     - `/var/cache/nginx`
     - `/var/run/nginx.pid`
  - container binds to port `8080` instead of previous/default `80`. this is because port `80` is treated as a special port that requires elevated privileges/root.
diff --git a/Dockerfile b/Dockerfile
@@ -11,6 +11,14 @@ COPY ["./nginx/mosaic-fe-samples.conf", "/etc/nginx/conf.d/"]
 # Copy build-artifact
 COPY ["./build", "/usr/share/nginx/html/"]
 
+RUN chown -R nginx:nginx /usr/share/nginx && \
+    chown -R nginx:nginx /etc/nginx && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+USER nginx
+
 CMD ["nginx", "-g", "daemon off;"]
 
-EXPOSE 80/tcp
+EXPOSE 8080/tcp
diff --git a/nginx/mosaic-fe-samples.conf b/nginx/mosaic-fe-samples.conf
@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen 8080;
 
     location / {
         root   /usr/share/nginx/html;
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -25,5 +25,9 @@ http {
 
     gzip  on;
 
+    server {
+      listen 8081;
+    }
+
     include /etc/nginx/conf.d/*.conf;
 }

Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,9 @@ http {`
`25`	`25`
`26`	`26`	`gzip on;`
`27`	`27`
	`28`	`+ server {`
	`29`	`+ listen 8081;`
	`30`	`+ }`
	`31`	`+`
`28`	`32`	`include /etc/nginx/conf.d/*.conf;`
`29`	`33`	`}`