feat(nginx): Use unpriviledged docker images (#956)

* chore(nginx): Use unpriviledged docker images

* fix: Use 8080 instead of 80 as default port

* fix: Fix variable

* fix: Use raw UID values as ARG are not available from parent

* chore: Remove envsubst

* chore: Use same port as everywhere else

* chore: Remove envsubst from nginx4spa

* feat: USE 8080 port in nginx and nginx4spa images

BREAKING CHANGE: port needs to be changed in projects using these images

nginx/Dockerfile

@@ -1,17 +1,19 @@
-FROM nginx:1.21-alpine
+FROM nginxinc/nginx-unprivileged:1.21-alpine
 
 COPY ./nginx.conf /etc/nginx/nginx.conf
 COPY ./entrypoint.sh /entrypoint.sh
-COPY ./envsub.sh /envsub.sh
 COPY ./404.html /usr/share/nginx/errors/
 
 ## adjust permissions
+USER root
 RUN chown -R nginx:nginx /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \
         chown -R nginx:nginx /var/cache/nginx && \
         chown -R nginx:nginx /var/log/nginx && \
         chown -R nginx:nginx /etc/nginx
 
 RUN touch /var/run/nginx.pid && \
         chown -R nginx:nginx /var/run/nginx.pid
-
+
+USER 101
+
 ENTRYPOINT ["/entrypoint.sh"]

nginx/README.md

@@ -3,7 +3,6 @@
 > Nginx image for static web apps
 
 - Serve static files from `/usr/share/nginx/html`
-- envsubst `%%VARIABLE%%` static files at startup (ex: builds)
 - Add some security-related headers :
 
 ```
@@ -14,31 +13,10 @@ add_header X-Content-Type-Options "nosniff";
 
 > For a single-page-applications nginx image, see [../nginx4spa](../nginx4spa)
 
-## Envsubst on startup
-
-As default, in every files in the `/usr/share/nginx/html` directory, the [`envsub.sh`](./envsub.sh) script replaces `%%KEY%%` by `VALUE` where `export KEY=VALUE` in the global env var.
-
-You can disable this by setting the `SKIP_ENVSUBST` environment variable.
-
-So :
-
-```sh
-$ echo "VERSION=%%VERSION%%" > /www/version.txt
-$ docker run \
-    --env VERSION=x.y.z \
-    --env PORT=4444 \
-    --name nginx_test \
-    --publish 8888:4444 \
-    --rm \
-    --volume /www:/usr/share/nginx/html \
-    ghcr.io/socialgouv/docker/nginx
-$ curl localhost:8888/version.txt
-VERSION=x.y.z
-```
 
 Notes:
 
-- `PORT` is optional and default to `80`
+- `PORT` is set to `8080`
 
 To override default configuration, make a local copy of `nginx.conf` and add it to docker build:
 

nginx/docker-compose.yml

@@ -3,7 +3,7 @@ services:
     build:
       context: .
     ports:
-      - target: 80
+      - target: 8080
         published: 8888
 
   #

nginx/entrypoint.sh

@@ -1,5 +1,3 @@
 #!/usr/bin/env sh
 
-source /envsub.sh
-
 exec nginx -g 'daemon off;'

nginx/nginx.conf

@@ -18,7 +18,7 @@ http {
   sendfile                    on;
 
   server {
-    listen                  %%PORT%%;
+    listen                  8080;
     root                    /usr/share/nginx/html;
     index                   index.html;
     server_name_in_redirect on;

nginx/tests/404.bats

@@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
 setup_file() {
   docker-compose run \
     --detach \
-    --publish 8889:80 \
+    --publish 8888:8080 \
     --rm \
     --volume ${BATS_TEST_DIRNAME}/fixtures:/usr/share/nginx/html \
     alpine
@@ -16,12 +16,12 @@ teardown_file() {
 }
 
 @test "nginx: should return status 404 (not a SPA)" {
-  run wget --server-response --quiet http://localhost:8889/pouet
+  run wget --server-response --quiet http://localhost:8888/pouet
   assert_output --partial "HTTP/1.1 404 Not Found"
 }
 
 @test "nginx: should return custom 404 page (not a SPA)" {
-  run wget --content-on-error --output-document - http://localhost:8889/pouet
+  run wget --content-on-error --output-document - http://localhost:8888/pouet
   assert_output --partial "CUSTOM 404 PAGE"
 }
 

nginx/tests/default-404-2.bats

@@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
 setup_file() {
   docker-compose run \
     --detach \
-    --publish 8888:80 \
+    --publish 8888:8080 \
     --rm \
     --volume ${BATS_TEST_DIRNAME}/fixtures-404:/usr/share/nginx/html \
     alpine

nginx/tests/default-404.bats

@@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
 setup_file() {
   docker-compose run \
     --detach \
-    --publish 8888:80 \
+    --publish 8888:8080 \
     --rm \
     --volume ${BATS_TEST_DIRNAME}/fixtures-simple:/usr/share/nginx/html \
     alpine

nginx/tests/volume.bats

@@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
 setup_file() {
   docker-compose run \
     --detach \
-    --publish 8888:80 \
+    --publish 8888:8080 \
     --rm \
     --volume ${BATS_TEST_DIRNAME}/fixtures:/usr/share/nginx/html \
     alpine

nginx4spa/Dockerfile

@@ -1,16 +1,18 @@
-FROM nginx:1.21-alpine
+FROM nginxinc/nginx-unprivileged:1.21-alpine
 
 COPY ./nginx.conf /etc/nginx/nginx.conf
 COPY ./entrypoint.sh /entrypoint.sh
-COPY ./envsub.sh /envsub.sh
 
 ## adjust permissions
+USER root
 RUN chown -R nginx:nginx /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \
         chown -R nginx:nginx /var/cache/nginx && \
         chown -R nginx:nginx /var/log/nginx && \
         chown -R nginx:nginx /etc/nginx
 
 RUN touch /var/run/nginx.pid && \
         chown -R nginx:nginx /var/run/nginx.pid
-
+
+USER 101
+
 ENTRYPOINT ["/entrypoint.sh"]

nginx4spa/README.md

@@ -4,7 +4,6 @@
 
 - Serve static files from `/usr/share/nginx/html`
 - Catch-all routing to `/index.html` for single-page-applications with client-side routing
-- envsubst `%%VARIABLE%%` static files at startup (ex: builds)
 - Add some security-related headers :
 
 ```
@@ -15,31 +14,9 @@ add_header X-Content-Type-Options "nosniff";
 
 > For regular nginx image, see [../nginx](../nginx)
 
-## Envsubst on startup
-
-As default, in every files in the `/usr/share/nginx/html` directory, the [`envsub.sh`](./envsub.sh) script replaces `%%KEY%%` by `VALUE` where `export KEY=VALUE` in the global env var.
-
-You can disable this by setting the `SKIP_ENVSUBST` environment variable.
-
-So :
-
-```sh
-$ echo "VERSION=%%VERSION%%" > /www/version.txt
-$ docker run \
-    --env VERSION=x.y.z \
-    --env PORT=4444 \
-    --name nginx4spa_test \
-    --publish 8888:4444 \
-    --rm \
-    --volume /www:/usr/share/nginx/html \
-    ghcr.io/socialgouv/docker/nginx4spa
-$ curl localhost:8888/version.txt
-VERSION=x.y.z
-```
-
 Notes:
 
-- `PORT` is optional and default to `80`
+- `PORT` is set to `8080`.
 
 To override default configuration, make a local copy of `nginx.conf` and add it to docker build:
 

nginx4spa/docker-compose.yml

@@ -3,7 +3,7 @@ services:
     build:
       context: .
     ports:
-      - target: 80
+      - target: 8080
         published: 8888
 
   #

nginx4spa/entrypoint.sh

@@ -1,5 +1,3 @@
 #!/usr/bin/env sh
 
-source /envsub.sh
-
 exec nginx -g 'daemon off;'

nginx4spa/nginx.conf

@@ -18,7 +18,7 @@ http {
   sendfile                    on;
 
   server {
-    listen                  %%PORT%%;
+    listen                  8080;
     root                    /usr/share/nginx/html;
     index                   index.html;
     server_name_in_redirect on;