chore: switch from nginx-unprivileged to nginx 2 (#1408)

docker/frontend/prod/Dockerfile

@@ -29,7 +29,8 @@ RUN apk add --no-cache --virtual --update npm && \
 
 COPY --from=build /app/build /usr/share/nginx/html
 COPY ./frontend/.env.no_oidc /usr/share/nginx/html/.env
-COPY ./frontend/nginx/nginx.conf /etc/nginx/conf.d/default.conf
+COPY ./frontend/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY ./frontend/nginx/default.conf /etc/nginx/conf.d/default.conf
 COPY ./frontend/robots.txt /usr/share/nginx/html/robots.txt
 
 ARG user=nginx
@@ -55,12 +56,8 @@ LABEL org.opencontainers.image.version=${VERSION}
 
 RUN chown -R ${user}:${group} /usr/share/nginx/html && \
         chmod -R 777 /usr/share/nginx/html && \
-        chown -R ${user}:${group} /var/cache/nginx && \
         chown -R ${user}:${group} /var/log/nginx && \
         chown -R ${user}:${group} /etc/nginx/conf.d && \
-        touch /var/run/nginx.pid && \
-        chown -R ${user}:${group} /var/run/nginx.pid && \
-        sed -i 's/user  nginx;/''/g' /etc/nginx/nginx.conf
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 \
     CMD wget -nv -t1 --spider 'http://127.0.0.1:3000/#/login' || exit 1

frontend/nginx/default.conf

@@ -0,0 +1,46 @@
+server_tokens off;
+
+
+  map $status $loggable
+  { 
+      ~^[2|3] 0; 
+      default 1; 
+  } 
+
+server {
+
+  error_log /dev/stdout warn;
+  access_log /dev/stdout combined if=$loggable;
+
+  listen 3000;
+
+  location / {
+    root   /usr/share/nginx/html;
+    index  index.html index.htm;
+    try_files $uri $uri/ /index.html;
+  }
+
+  location = /robots.txt {
+    root   /usr/share/nginx/html;
+    add_header Content-Type text/plain;
+  }
+
+  error_page   500 502 503 504  /50x.html;
+
+  location = /50x.html {
+    root   /usr/share/nginx/html;
+  }
+
+  # Security headers
+  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
+  add_header Content-Security-Policy  "frame-src 'self'; media-src 'self'; manifest-src 'self'; prefetch-src 'self'; img-src 'self'; script-src 'self'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self'" always;
+  add_header X-Frame-Options 'DENY' always;
+  add_header X-Content-Type-Options 'nosniff' always;
+  add_header Referrer-Policy 'strict-origin-when-cross-origin' always;
+  add_header Cross-Origin-Embedder-Policy 'require-corp' always;
+# Cross-Origin-Opener-Policy doesn't work with OIDC login
+#   add_header Cross-Origin-Opener-Policy 'same-origin' always;
+  add_header Cross-Origin-Resource-Policy 'same-site' always;
+  add_header Permissions-Policy 'geolocation=() camera=(), microphone=()' always;
+  add_header Cache-Control 'private' always;
+}

frontend/nginx/nginx.conf

@@ -1,46 +1,36 @@
-server_tokens off;
-
-
-  map $status $loggable
-  { 
-      ~^[2|3] 0; 
-      default 1; 
-  } 
-
-server {
-
-  error_log /dev/stdout warn;
-  access_log /dev/stdout combined if=$loggable;
-
-  listen 3000;
-
-  location / {
-    root   /usr/share/nginx/html;
-    index  index.html index.htm;
-    try_files $uri $uri/ /index.html;
-  }
-
-  location = /robots.txt {
-    root   /usr/share/nginx/html;
-    add_header Content-Type text/plain;
-  }
-
-  error_page   500 502 503 504  /50x.html;
-
-  location = /50x.html {
-    root   /usr/share/nginx/html;
-  }
-
-  # Security headers
-  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
-  add_header Content-Security-Policy  "frame-src 'self'; media-src 'self'; manifest-src 'self'; prefetch-src 'self'; img-src 'self'; script-src 'self'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self'" always;
-  add_header X-Frame-Options 'DENY' always;
-  add_header X-Content-Type-Options 'nosniff' always;
-  add_header Referrer-Policy 'strict-origin-when-cross-origin' always;
-  add_header Cross-Origin-Embedder-Policy 'require-corp' always;
-# Cross-Origin-Opener-Policy doesn't work with OIDC login
-#   add_header Cross-Origin-Opener-Policy 'same-origin' always;
-  add_header Cross-Origin-Resource-Policy 'same-site' always;
-  add_header Permissions-Policy 'geolocation=() camera=(), microphone=()' always;
-  add_header Cache-Control 'private' always;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
 }