feat: official nginx image running unprivileged

nginx/Dockerfile

@@ -1,5 +1,28 @@
-FROM nginxinc/nginx-unprivileged:1.18
+FROM nginx:1.22.0-alpine
+
+RUN apk upgrade --update-cache
+
+# Copy configs
 COPY nginx.conf /etc/nginx/nginx.conf
-COPY security.conf /etc/nginx/security.conf
-COPY default.nginx /etc/nginx/conf.d/default.conf
-USER 1000
+COPY config/ /etc/nginx/config
+
+# Remove default nginx config
+RUN rm /etc/nginx/conf.d/default.conf
+
+# Copy sites-available into sites-enabled
+COPY sites-available/default.conf /etc/nginx/sites-enabled/default.conf
+
+# Create log directory if not present, set permissions
+RUN mkdir -p /var/log/nginx && \
+    chown -R nginx:nginx /var/log/nginx
+
+# Create tmp directory if not present, set permissions
+RUN mkdir -p /tmp/nginx && \
+    chown -R nginx:nginx /tmp/nginx
+
+# Create pidfile, set permissions
+RUN touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+# Run master process as user nginx
+USER nginx

nginx/config/general.conf

@@ -0,0 +1 @@
+add_header Last-Modified    $date_gmt;

nginx/config/proxy.conf

@@ -0,0 +1,11 @@
+proxy_http_version                  1.1;
+
+proxy_set_header Host               $host;
+proxy_set_header X-Real-IP          $remote_addr;
+proxy_set_header Forwarded          $proxy_add_forwarded;
+proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto  $scheme;
+proxy_set_header X-Forwarded-Host   $host;
+proxy_set_header X-Forwarded-Port   $server_port;
+
+proxy_set_header X-Request-Start    $msec;

nginx/security.conf → nginx/config/security.conf

@@ -2,6 +2,6 @@
 add_header X-XSS-Protection             "1; mode=block" always;
 add_header X-Content-Type-Options       "nosniff" always;
 add_header Referrer-Policy              "no-referrer-when-downgrade" always;
-add_header Content-Security-Policy      "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+add_header Content-Security-Policy      "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
 add_header Permissions-Policy           "interest-cohort=()" always;
 add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains; preload" always;

nginx/config/websocket.conf

@@ -0,0 +1,2 @@
+proxy_set_header Upgrade    $http_upgrade;
+proxy_set_header Connection "upgrade";

nginx/nginx.conf

@@ -1,34 +1,62 @@
-worker_processes  auto; # number of processes nginx will spawn
+user                        nginx nginx;
+pid                         /var/run/nginx.pid;
+worker_processes            auto;
+worker_rlimit_nofile        65535;
 
-error_log  /var/log/nginx/error.log warn;
-pid        /tmp/nginx.pid;
+include                     /etc/nginx/modules-enabled/*.conf;
 
 events {
-    worker_connections  65535; # maximum number of connections for each worker process.
+    multi_accept            on;
+    worker_connections      65535;
 }
 
 http {
-    proxy_temp_path /tmp/proxy_temp;
-    client_body_temp_path /tmp/client_temp;
-    fastcgi_temp_path /tmp/fastcgi_temp;
-    uwsgi_temp_path /tmp/uwsgi_temp;
-    scgi_temp_path /tmp/scgi_temp;
-
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    include /etc/nginx/conf.d/*.conf;
-}
+    charset                 utf-8;
+    sendfile                on;
+    tcp_nopush              on;
+    tcp_nodelay             on;
+    server_tokens           off;
+    log_not_found           off;
+    types_hash_max_size     2048;
+    types_hash_bucket_size  64;
+    client_max_body_size    32M;
+
+    # logging
+    log_format              main    '$remote_addr - $remote_user [$time_local] "$request" '
+                                    '$status $body_bytes_sent "$http_referrer" '
+                                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    # MIME
+    include                 mime.types;
+    default_type            application/octet-stream;
+
+    # Logging
+    access_log              /var/log/nginx/access.log main;
+    error_log               /var/log/nginx/error.log warn;
+
+    # temp paths
+    proxy_temp_path         /tmp/nginx/proxy_temp;
+    client_body_temp_path   /tmp/nginx/client_temp;
+    fastcgi_temp_path       /tmp/nginx/fastcgi_temp;
+    uwsgi_temp_path         /tmp/nginx/uwsgi_temp;
+    scgi_temp_path          /tmp/nginx/scgi_temp;
+
+    map $remote_addr $proxy_forwarded_elem {
+        # IPv4 addresses can be sent as-is
+        ~^[0-9.]+$          "for=$remote_addr";
+        # IPv6 addresses need to be bracketed and quoted
+        ~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";
+        # Unix domain socket names cannot be represented in RFC 7239 syntax
+        default             "for=unknown";
+    }
+
+    map $http_forwarded $proxy_add_forwarded {
+        # If the incoming Forwarded header is syntactically valid, append to it
+        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+        # Otherwise, replace it
+        default             "$proxy_forwarded_elem";
+    }
+
+    include                 /etc/nginx/conf.d/*.conf;
+    include                 /etc/nginx/sites-enabled/*;
+}

nginx/sites-available/default.conf

@@ -0,0 +1,34 @@
+server {
+    listen                  8080;
+    server_name             localhost;
+    client_max_body_size    2G;
+
+    # security
+    include                 /etc/nginx/config/security.conf;
+
+    # logs
+    access_log              /dev/stdout combined;
+    error_log               /dev/stdout;
+
+    # compression
+    gzip                    on;
+    gzip_vary               on;
+    gzip_proxied            any;
+    gzip_comp_level         6;
+    gzip_types              text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+    location /api/ {
+        proxy_pass          http://api:5000/api/;
+
+        include             /etc/nginx/config/general.conf;
+        include             /etc/nginx/config/proxy.conf;
+        include             /etc/nginx/config/websocket.conf;
+    }
+    location / {
+        proxy_pass          http://web:3000/;
+
+        include             /etc/nginx/config/general.conf;
+        include             /etc/nginx/config/proxy.conf;
+        include             /etc/nginx/config/websocket.conf;
+    }
+}