Use nginx-unprivileged base image

The new images exposes 8080 port, runs as nginx
(non-root user).

There is no need to copy-paste either CMD or
ENTRYPOINT.

nginx-unprivileged configuration includes conf.d
directory, thus no need to copy-paste the
boilerplate configuration.

The custom entrypoint can be moved into existing
/docker-entrypoint.d/ directory.

Use the same `--chown` strategy as already used in
Dockerfile made for DependencyTrack/dependency-track.

Signed-off-by: Alex Szakaly <[email protected]>

Author: alex1989hu

.dockerignore

@@ -11,5 +11,5 @@ docs/
 node_modules/
 release.sh
 snapshot.sh
-!docker/etc/nginx/nginx.conf
+!docker/etc/nginx/conf.d/default.conf
 !docker/docker-entrypoint.sh

docker/Dockerfile

@@ -19,24 +19,25 @@ RUN npm run build
 ###############################
 #       Production image      #
 ###############################
-FROM nginx:stable-alpine
+FROM nginxinc/nginx-unprivileged:stable-alpine
 
 # jq is required for entrypoint script
+USER root
 RUN apk --no-cache add jq
 
-COPY ./docker/etc/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
 
-COPY --from=build /app/dist /app
+COPY --chown=101:101 --from=build /app/dist /app
+
+# Specify the user to run as (in numeric format for compatibility with Kubernetes/OpenShift's SCC)
+# Inherited from parent image
+# See https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/stable/alpine/Dockerfile#L139
+USER 101
 
 # Set default settings that may get overridden to empty values by
 # the entrypoint script, if not explicitly provided by the user
 ENV OIDC_SCOPE "openid profile email"
 
 # Setup entrypoint
 WORKDIR /app
-COPY ./docker/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh
-ENTRYPOINT [ "/usr/bin/docker-entrypoint.sh" ]
-
-# Inherited from parent image
-# See https://github.com/nginxinc/docker-nginx/blob/1.18.0/stable/alpine/Dockerfile#L115
-CMD ["nginx", "-g", "daemon off;"]
+COPY ./docker/docker-entrypoint.sh /docker-entrypoint.d/30-oidc-configuration.sh

docker/docker-compose.yml

@@ -28,6 +28,6 @@ services:
     # volumes:
       # - "/host/path/to/config.json:/app/static/config.json"
     ports:
-      - "8080:80"
+      - "8080:8080"
     restart: unless-stopped
 

docker/etc/nginx/conf.d/default.conf

@@ -0,0 +1,16 @@
+server {
+  listen      8080;
+  server_name _;
+
+  location / {
+    root      /app;
+    index     index.html;
+    try_files $uri $uri/ /index.html;
+  }
+
+  error_page 500 502 503 504 /50x.html;
+
+  location = /50x.html {
+    root /usr/share/nginx/html;
+  }
+}