-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.plus.unprivileged
82 lines (73 loc) · 4.3 KB
/
Dockerfile.plus.unprivileged
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
FROM debian:bullseye-slim
ARG NAP_WAF=false
ARG NGINX_AGENT=false
ARG UID=101
ARG GID=101
# Initial packages setup
RUN apt-get -y update \
&& apt-get -y install apt-transport-https lsb-release ca-certificates wget gnupg2 curl debian-archive-keyring iproute2 \
&& mkdir -p /deployment /etc/ssl/nginx /etc/nms \
&& addgroup --system --gid $GID nginx \
&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid $UID nginx \
&& wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq \
&& chmod +x /usr/bin/yq
# Use certificate and key from secret
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
set -x \
# Install prerequisite packages:
&& wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
&& wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
&& apt-get -y update \
&& apt-get -y install nginx-plus nginx-plus-module-njs nginx-plus-module-prometheus \
# Optional NGINX App Protect WAF
&& if [ "$NAP_WAF" = "true" ] ; then \
wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /usr/share/keyrings/app-protect-security-updates.gpg \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect.list \
&& printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nginx-app-protect.list \
&& apt-get -y update \
&& apt-get -y install app-protect app-protect-attack-signatures \
&& chown $UID:0 /opt \
&& chmod g+w /opt \
&& chown -R $UID:0 /opt/app_protect \
&& chmod -R g+w /opt/app_protect; fi \
# Forward request logs to Docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
# NGINX Agent
&& if [ "$NGINX_AGENT" = "true" ] ; then \
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/debian/ `lsb_release -cs` agent" > /etc/apt/sources.list.d/nginx-agent.list \
&& apt-get -y update \
&& apt-get -y install nginx-agent \
# implement changes required to run NGINX Agent as an unprivileged user
&& chown -R $UID:0 /etc/nginx-agent \
&& chmod -R g+w /etc/nginx-agent \
&& chown -R $UID:0 /var/lib/nginx-agent \
&& chmod -R g+w /var/lib/nginx-agent \
&& chown -R $UID:0 /var/log/nginx-agent \
&& chmod -R g+w /var/log/nginx-agent \
&& chown -R $UID:0 /var/run/nginx-agent \
&& chmod -R g+w /var/run/nginx-agent; fi
# implement changes required to run NGINX as an unprivileged user
RUN rm /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
&& chown -R $UID:0 /etc/nginx \
&& chmod -R g+w /etc/nginx \
&& chown -R $UID:0 /usr/lib/nginx/modules \
&& chmod -R g+w /usr/lib/nginx/modules \
&& chown -R $UID:0 /etc/nms \
&& chmod -R g+w /etc/nms
# Startup script
COPY ./container/start.sh /deployment/
RUN chmod +x /deployment/start.sh && touch /.dockerenv
EXPOSE 80
STOPSIGNAL SIGTERM
USER $UID
CMD ["/deployment/start.sh"]