From fe1fd380b26ca8c8bc0d9ac49718c0616a63f4c8 Mon Sep 17 00:00:00 2001 From: Bernd Schorgers Date: Fri, 12 Sep 2025 11:09:53 +0200 Subject: [PATCH 1/2] feat: Use nginx-unprivileged for improved security --- .docker/nginx.conf | 7 ++----- .docker/scripts/100-envsubst-on-app-envs.sh | 6 +++--- Dockerfile | 13 +++++-------- docker-compose.yml | 2 +- 4 files changed, 11 insertions(+), 17 deletions(-) diff --git a/.docker/nginx.conf b/.docker/nginx.conf index b1cd645b..f82d2a0a 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf @@ -1,11 +1,8 @@ # Run nginx in foreground. # daemon off; -# This is run inside Docker. -user nginx; - # Pid storage location. -pid /run/nginx.pid; +pid /tmp/nginx.pid; # Set number of worker processes. worker_processes 1; @@ -90,4 +87,4 @@ http { proxy_set_header X-Real-IP $remote_addr; } } -} \ No newline at end of file +} diff --git a/.docker/scripts/100-envsubst-on-app-envs.sh b/.docker/scripts/100-envsubst-on-app-envs.sh index 25ecbf75..f5f4f269 100644 --- a/.docker/scripts/100-envsubst-on-app-envs.sh +++ b/.docker/scripts/100-envsubst-on-app-envs.sh @@ -5,6 +5,6 @@ set -ex # find the file with the template envs envs=$(ls -t /usr/share/nginx/html/assets/envs*.js | head -n1) -envsubst < "$envs" > ./envs_temp -cp ./envs_temp "$envs" -rm ./envs_temp +tmpfile=$(mktemp) +envsubst < "$envs" > "$tmpfile" +mv "$tmpfile" "$envs" diff --git a/Dockerfile b/Dockerfile index cd116599..578a1a4b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,7 @@ -FROM nginx:alpine-slim AS prod +FROM nginxinc/nginx-unprivileged:alpine-slim AS prod -EXPOSE 80 +EXPOSE 8080 -COPY .docker/scripts/ /docker-entrypoint.d/ -COPY .docker/nginx.conf /etc/nginx/ - -RUN chmod +x /docker-entrypoint.d/100-envsubst-on-app-envs.sh - -COPY dist/ /usr/share/nginx/html/ +COPY --chmod=755 .docker/scripts/ /docker-entrypoint.d/ +COPY --chown=nginx:root .docker/nginx.conf /etc/nginx/ +COPY --chown=nginx:root dist/ /usr/share/nginx/html/ diff --git a/docker-compose.yml b/docker-compose.yml index 0231eb1d..57e8ce33 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,7 +5,7 @@ services: image: ghcr.io/nerivec/zigbee2mqtt-windfront restart: unless-stopped ports: - - 80:80 + - 8080:8080 networks: - network environment: From 5e79ff65ecdb98a09e23efd6ebe906f0d33e7947 Mon Sep 17 00:00:00 2001 From: Bernd Schorgers Date: Sat, 13 Sep 2025 10:21:27 +0200 Subject: [PATCH 2/2] Make nginx port configurable --- .docker/nginx.conf | 4 ++-- .docker/scripts/90-envsubst-on-nginx-conf.sh | 9 +++++++++ Dockerfile | 4 +++- docker-compose.yml | 2 +- 4 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 .docker/scripts/90-envsubst-on-nginx-conf.sh diff --git a/.docker/nginx.conf b/.docker/nginx.conf index f82d2a0a..23be1a19 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf @@ -38,8 +38,8 @@ http { resolver 127.0.0.11 ipv6=off; server { - listen 80; - listen [::]:80; + listen ${NGINX_PORT}; + listen [::]:${NGINX_PORT}; server_name localhost; location / { diff --git a/.docker/scripts/90-envsubst-on-nginx-conf.sh b/.docker/scripts/90-envsubst-on-nginx-conf.sh new file mode 100644 index 00000000..961583c3 --- /dev/null +++ b/.docker/scripts/90-envsubst-on-nginx-conf.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env sh + +set -ex + +config_file="/etc/nginx/nginx.conf" + +tmpfile=$(mktemp) +envsubst '${NGINX_PORT}' < "$config_file" > "$tmpfile" +mv "$tmpfile" "$config_file" diff --git a/Dockerfile b/Dockerfile index 578a1a4b..2d56315f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ FROM nginxinc/nginx-unprivileged:alpine-slim AS prod -EXPOSE 8080 +ENV NGINX_PORT=80 + +EXPOSE 80 COPY --chmod=755 .docker/scripts/ /docker-entrypoint.d/ COPY --chown=nginx:root .docker/nginx.conf /etc/nginx/ diff --git a/docker-compose.yml b/docker-compose.yml index 57e8ce33..0231eb1d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,7 +5,7 @@ services: image: ghcr.io/nerivec/zigbee2mqtt-windfront restart: unless-stopped ports: - - 8080:8080 + - 80:80 networks: - network environment: