Run production frontend Nginx unprivileged under dropped caps

2026-03-02 16:41:20 -03:00
parent d50169b883
commit 8f2c357bfc
3 changed files with 31 additions and 2 deletions
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -41,9 +41,15 @@ RUN npm run build

 FROM nginx:1.27-alpine AS production

+COPY nginx-main.conf /etc/nginx/nginx.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=build /app/dist /usr/share/nginx/html
+RUN mkdir -p /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp \
+    && chown -R 101:101 /tmp /var/log/nginx /usr/share/nginx/html

 EXPOSE 5173

-CMD ["nginx", "-g", "daemon off;"]
+USER 101:101
+
+ENTRYPOINT ["nginx"]
+CMD ["-g", "daemon off;"]