Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: switch from nginx-unprivileged to nginx 2 #1408

Merged
merged 1 commit into from
Apr 18, 2024
Merged

chore: switch from nginx-unprivileged to nginx 2 #1408

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions docker/frontend/prod/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ RUN apk add --no-cache --virtual --update npm && \

COPY --from=build /app/build /usr/share/nginx/html
COPY ./frontend/.env.no_oidc /usr/share/nginx/html/.env
COPY ./frontend/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY ./frontend/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./frontend/nginx/default.conf /etc/nginx/conf.d/default.conf
COPY ./frontend/robots.txt /usr/share/nginx/html/robots.txt

ARG user=nginx
Expand All @@ -55,12 +56,8 @@ LABEL org.opencontainers.image.version=${VERSION}

RUN chown -R ${user}:${group} /usr/share/nginx/html && \
chmod -R 777 /usr/share/nginx/html && \
chown -R ${user}:${group} /var/cache/nginx && \
chown -R ${user}:${group} /var/log/nginx && \
chown -R ${user}:${group} /etc/nginx/conf.d && \
touch /var/run/nginx.pid && \
chown -R ${user}:${group} /var/run/nginx.pid && \
sed -i 's/user nginx;/''/g' /etc/nginx/nginx.conf

HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 \
CMD wget -nv -t1 --spider 'http://127.0.0.1:3000/#/login' || exit 1
Expand Down
46 changes: 46 additions & 0 deletions frontend/nginx/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
server_tokens off;


map $status $loggable
{
~^[2|3] 0;
default 1;
}

server {

error_log /dev/stdout warn;
access_log /dev/stdout combined if=$loggable;

listen 3000;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}

location = /robots.txt {
root /usr/share/nginx/html;
add_header Content-Type text/plain;
}

error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /usr/share/nginx/html;
}

# Security headers
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
add_header Content-Security-Policy "frame-src 'self'; media-src 'self'; manifest-src 'self'; prefetch-src 'self'; img-src 'self'; script-src 'self'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self'" always;
add_header X-Frame-Options 'DENY' always;
add_header X-Content-Type-Options 'nosniff' always;
add_header Referrer-Policy 'strict-origin-when-cross-origin' always;
add_header Cross-Origin-Embedder-Policy 'require-corp' always;
# Cross-Origin-Opener-Policy doesn't work with OIDC login
# add_header Cross-Origin-Opener-Policy 'same-origin' always;
add_header Cross-Origin-Resource-Policy 'same-site' always;
add_header Permissions-Policy 'geolocation=() camera=(), microphone=()' always;
add_header Cache-Control 'private' always;
}
80 changes: 35 additions & 45 deletions frontend/nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,46 +1,36 @@
server_tokens off;


map $status $loggable
{
~^[2|3] 0;
default 1;
}

server {

error_log /dev/stdout warn;
access_log /dev/stdout combined if=$loggable;

listen 3000;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}

location = /robots.txt {
root /usr/share/nginx/html;
add_header Content-Type text/plain;
}

error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /usr/share/nginx/html;
}

# Security headers
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
add_header Content-Security-Policy "frame-src 'self'; media-src 'self'; manifest-src 'self'; prefetch-src 'self'; img-src 'self'; script-src 'self'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self'" always;
add_header X-Frame-Options 'DENY' always;
add_header X-Content-Type-Options 'nosniff' always;
add_header Referrer-Policy 'strict-origin-when-cross-origin' always;
add_header Cross-Origin-Embedder-Policy 'require-corp' always;
# Cross-Origin-Opener-Policy doesn't work with OIDC login
# add_header Cross-Origin-Opener-Policy 'same-origin' always;
add_header Cross-Origin-Resource-Policy 'same-site' always;
add_header Permissions-Policy 'geolocation=() camera=(), microphone=()' always;
add_header Cache-Control 'private' always;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
pid /tmp/nginx.pid;


events {
worker_connections 1024;
}


http {
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

include /etc/nginx/conf.d/*.conf;
}
Loading