Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Run production frontend Nginx unprivileged under dropped caps

Browse Source
This commit is contained in:
Beda Schmid
2026-03-02 16:41:20 -03:00
parent d50169b883
commit 8f2c357bfc
3 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/operations-and-configuration.md
View File

@@ -141,8 +141,9 @@ Recommended LIVE pattern:
- Frontend no longer consumes `VITE_API_TOKEN`.
- Frontend image target is environment-driven:
- `APP_ENV=development` builds the `development` target and runs Vite dev server
- `APP_ENV=production` builds the `production` target and serves static assets through Nginx
- `APP_ENV=production` builds the `production` target and serves static assets through unprivileged Nginx
- Frontend Docker targets are selected from `APP_ENV`, so use `development` or `production` values.
- Production frontend Nginx uses non-root runtime plus `/tmp` temp-path configuration so it can run with container capability dropping enabled.
- Vite dev server host allowlist uses the union of:
- hostnames extracted from `CORS_ORIGINS`
- optional explicit hostnames from `VITE_ALLOWED_HOSTS`