Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(nginx): Use unpriviledged docker images #956

Merged
merged 8 commits into from
Mar 28, 2022
Merged

chore(nginx): Use unpriviledged docker images #956

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
edf57d2
chore(nginx): Use unpriviledged docker images
achauve Mar 24, 2022
146560d
fix: Use 8080 instead of 80 as default port
achauve Mar 24, 2022
b72679a
fix: Fix variable
achauve Mar 24, 2022
b4aa630
fix: Use raw UID values as ARG are not available from parent
achauve Mar 24, 2022
b9ddd40
chore: Remove envsubst
achauve Mar 25, 2022
24c0fa3
chore: Use same port as everywhere else
achauve Mar 25, 2022
38488e7
chore: Remove envsubst from nginx4spa
achauve Mar 28, 2022
b58738a
feat: USE 8080 port in nginx and nginx4spa images
achauve Mar 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions nginx/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
FROM nginx:1.21-alpine
FROM nginxinc/nginx-unprivileged:1.21-alpine

COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./entrypoint.sh /entrypoint.sh
COPY ./envsub.sh /envsub.sh
COPY ./404.html /usr/share/nginx/errors/

## adjust permissions
USER root
RUN chown -R nginx:nginx /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /var/log/nginx && \
chown -R nginx:nginx /etc/nginx

RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid


USER 101

ENTRYPOINT ["/entrypoint.sh"]
24 changes: 1 addition & 23 deletions nginx/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
> Nginx image for static web apps

- Serve static files from `/usr/share/nginx/html`
- envsubst `%%VARIABLE%%` static files at startup (ex: builds)
- Add some security-related headers :

```
Expand All @@ -14,31 +13,10 @@ add_header X-Content-Type-Options "nosniff";

> For a single-page-applications nginx image, see [../nginx4spa](../nginx4spa)

## Envsubst on startup

As default, in every files in the `/usr/share/nginx/html` directory, the [`envsub.sh`](./envsub.sh) script replaces `%%KEY%%` by `VALUE` where `export KEY=VALUE` in the global env var.

You can disable this by setting the `SKIP_ENVSUBST` environment variable.

So :

```sh
$ echo "VERSION=%%VERSION%%" > /www/version.txt
$ docker run \
--env VERSION=x.y.z \
--env PORT=4444 \
--name nginx_test \
--publish 8888:4444 \
--rm \
--volume /www:/usr/share/nginx/html \
ghcr.io/socialgouv/docker/nginx
$ curl localhost:8888/version.txt
VERSION=x.y.z
```

Notes:

- `PORT` is optional and default to `80`
- `PORT` is set to `8080`

To override default configuration, make a local copy of `nginx.conf` and add it to docker build:

Expand Down
2 changes: 1 addition & 1 deletion nginx/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ services:
build:
context: .
ports:
- target: 80
- target: 8080
published: 8888

#
Expand Down
2 changes: 0 additions & 2 deletions nginx/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/usr/bin/env sh

source /envsub.sh

exec nginx -g 'daemon off;'
31 changes: 0 additions & 31 deletions nginx/envsub.sh
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ http {
sendfile on;

server {
listen %%PORT%%;
listen 8080;
root /usr/share/nginx/html;
index index.html;
server_name_in_redirect on;
Expand Down
6 changes: 3 additions & 3 deletions nginx/tests/404.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
setup_file() {
docker-compose run \
--detach \
--publish 8889:80 \
--publish 8888:8080 \
--rm \
--volume ${BATS_TEST_DIRNAME}/fixtures:/usr/share/nginx/html \
alpine
Expand All @@ -16,12 +16,12 @@ teardown_file() {
}

@test "nginx: should return status 404 (not a SPA)" {
run wget --server-response --quiet http://localhost:8889/pouet
run wget --server-response --quiet http://localhost:8888/pouet
assert_output --partial "HTTP/1.1 404 Not Found"
}

@test "nginx: should return custom 404 page (not a SPA)" {
run wget --content-on-error --output-document - http://localhost:8889/pouet
run wget --content-on-error --output-document - http://localhost:8888/pouet
assert_output --partial "CUSTOM 404 PAGE"
}

2 changes: 1 addition & 1 deletion nginx/tests/default-404-2.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
setup_file() {
docker-compose run \
--detach \
--publish 8888:80 \
--publish 8888:8080 \
--rm \
--volume ${BATS_TEST_DIRNAME}/fixtures-404:/usr/share/nginx/html \
alpine
Expand Down
2 changes: 1 addition & 1 deletion nginx/tests/default-404.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
setup_file() {
docker-compose run \
--detach \
--publish 8888:80 \
--publish 8888:8080 \
--rm \
--volume ${BATS_TEST_DIRNAME}/fixtures-simple:/usr/share/nginx/html \
alpine
Expand Down
37 changes: 0 additions & 37 deletions nginx/tests/envsub.bats
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion nginx/tests/fixtures-envsubst/404.html
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion nginx/tests/fixtures-envsubst/foo/bar/bar.js
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion nginx/tests/fixtures-envsubst/foo/bar/bar.png
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion nginx/tests/fixtures-envsubst/index.html
View file
Open in desktop

This file was deleted.

22 changes: 0 additions & 22 deletions nginx/tests/port.bats
View file
Open in desktop

This file was deleted.

34 changes: 0 additions & 34 deletions nginx/tests/skip-envsub.bats
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion nginx/tests/volume.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ load '../../.bats/common.bats.bash'
setup_file() {
docker-compose run \
--detach \
--publish 8888:80 \
--publish 8888:8080 \
--rm \
--volume ${BATS_TEST_DIRNAME}/fixtures:/usr/share/nginx/html \
alpine
Expand Down
8 changes: 5 additions & 3 deletions nginx4spa/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
FROM nginx:1.21-alpine
FROM nginxinc/nginx-unprivileged:1.21-alpine

COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./entrypoint.sh /entrypoint.sh
COPY ./envsub.sh /envsub.sh

## adjust permissions
USER root
RUN chown -R nginx:nginx /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /var/log/nginx && \
chown -R nginx:nginx /etc/nginx

RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid


USER 101

ENTRYPOINT ["/entrypoint.sh"]
25 changes: 1 addition & 24 deletions nginx4spa/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@

- Serve static files from `/usr/share/nginx/html`
- Catch-all routing to `/index.html` for single-page-applications with client-side routing
- envsubst `%%VARIABLE%%` static files at startup (ex: builds)
- Add some security-related headers :

```
Expand All @@ -15,31 +14,9 @@ add_header X-Content-Type-Options "nosniff";

> For regular nginx image, see [../nginx](../nginx)

## Envsubst on startup

As default, in every files in the `/usr/share/nginx/html` directory, the [`envsub.sh`](./envsub.sh) script replaces `%%KEY%%` by `VALUE` where `export KEY=VALUE` in the global env var.

You can disable this by setting the `SKIP_ENVSUBST` environment variable.

So :

```sh
$ echo "VERSION=%%VERSION%%" > /www/version.txt
$ docker run \
--env VERSION=x.y.z \
--env PORT=4444 \
--name nginx4spa_test \
--publish 8888:4444 \
--rm \
--volume /www:/usr/share/nginx/html \
ghcr.io/socialgouv/docker/nginx4spa
$ curl localhost:8888/version.txt
VERSION=x.y.z
```

Notes:

- `PORT` is optional and default to `80`
- `PORT` is set to `8080`.

To override default configuration, make a local copy of `nginx.conf` and add it to docker build:

Expand Down
2 changes: 1 addition & 1 deletion nginx4spa/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ services:
build:
context: .
ports:
- target: 80
- target: 8080
published: 8888

#
Expand Down
2 changes: 0 additions & 2 deletions nginx4spa/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/usr/bin/env sh

source /envsub.sh

exec nginx -g 'daemon off;'
31 changes: 0 additions & 31 deletions nginx4spa/envsub.sh
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion nginx4spa/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ http {
sendfile on;

server {
listen %%PORT%%;
listen 8080;
root /usr/share/nginx/html;
index index.html;
server_name_in_redirect on;
Expand Down
Loading