From 932c5cdb6c4890f3adda01cfcf89f2db8ec035ef Mon Sep 17 00:00:00 2001 From: Issam Kadar Date: Wed, 16 Jul 2025 15:56:37 +0200 Subject: [PATCH] chore/security : expose port 8080 instead of 80 --- web_specs/Dockerfile | 20 ++++++++++++---- web_specs/conf.d/default.conf | 44 +++++++++++++++++++++++++++++++++++ web_specs/nginx.conf | 31 ++++++++++++++++++++++++ 3 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 web_specs/conf.d/default.conf create mode 100644 web_specs/nginx.conf diff --git a/web_specs/Dockerfile b/web_specs/Dockerfile index e440ffe206..d503666cfc 100644 --- a/web_specs/Dockerfile +++ b/web_specs/Dockerfile @@ -8,8 +8,20 @@ FROM --platform=linux/amd64 nginx:alpine # Copy the files to the nginx default document root COPY ./generated/ /usr/share/nginx/html -# Expose port 80 to allow incoming traffic -EXPOSE 80 +# Copy the nginx configuration file to the container +COPY nginx.conf /usr/share/nginx/html/nginx.conf -# Start the nginx web server -CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file +# Copy custom server config to use port 8080 +COPY conf.d/default.conf /etc/nginx/conf.d/default.conf + +# Fix permissions for nginx cache directory when running with non-root user +RUN mkdir -p /var/cache/nginx && chown -R nginx:nginx /var/cache/nginx /usr/share/nginx/html + +# Expose port 8080 to allow incoming traffic +EXPOSE 8080 + +# Start the nginx web server with custom config (with updated pid path) +CMD ["nginx", "-c", "/usr/share/nginx/html/nginx.conf", "-g", "daemon off;"] + +# Run as non-root user for better security +USER nginx \ No newline at end of file diff --git a/web_specs/conf.d/default.conf b/web_specs/conf.d/default.conf new file mode 100644 index 0000000000..3e04222a3f --- /dev/null +++ b/web_specs/conf.d/default.conf @@ -0,0 +1,44 @@ +server { + listen 8080; + listen [::]:8080; + server_name localhost; + + #access_log /var/log/nginx/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} \ No newline at end of file diff --git a/web_specs/nginx.conf b/web_specs/nginx.conf new file mode 100644 index 0000000000..a04f03bec0 --- /dev/null +++ b/web_specs/nginx.conf @@ -0,0 +1,31 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/cache/nginx/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +}