Switch to nginx unprivileged (#84)

jacobfilik · web-flow · commit 3d595645dda4 · 2025-12-19T09:29:24.000Z
diff --git a/Charts/web-conexs/templates/client_deployment.yaml b/Charts/web-conexs/templates/client_deployment.yaml
@@ -22,5 +22,11 @@ spec:
             {{- toYaml .Values.api.resources | nindent 12 }}
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8081
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+      volumes:
+        - emptyDir: {}
+          name: tmp
 {{- end }}
diff --git a/Charts/web-conexs/templates/client_service.yaml b/Charts/web-conexs/templates/client_service.yaml
@@ -8,7 +8,7 @@ spec:
   - name: http
     port: {{ .Values.global.client.port }}
     protocol: TCP
-    targetPort: 80
+    targetPort: 8081
   selector:
     app: {{ include "web-conexs.fullname" . }}-client
   type: {{ .Values.client.service.type }}
diff --git a/web-conexs-client/Dockerfile b/web-conexs-client/Dockerfile
@@ -2,7 +2,7 @@
 #build api
 #copy to runtime
 
-FROM node:18-bullseye-slim as build-web
+FROM node:23-bookworm-slim as build-web
 
 WORKDIR /client
 
@@ -16,10 +16,10 @@ RUN yes | pnpm install
 
 RUN pnpm vite build
 
-From nginx as host
+From docker.io/nginxinc/nginx-unprivileged:alpine3.21-slim as host
 
 COPY --from=build-web /client/dist/ /usr/share/nginx/html
 COPY ./nginx/default.conf /etc/nginx/conf.d/default.conf
 
-# change this entrypoint if it is not the same as the repo
+EXPOSE 8081
 ENTRYPOINT ["nginx","-g", "daemon off;"]
diff --git a/web-conexs-client/nginx/default.conf b/web-conexs-client/nginx/default.conf
@@ -1,23 +1,31 @@
-server {
-    listen       80;
-    server_name  localhost;
+pid /tmp/nginx.pid; 
 
-    #access_log  /var/log/nginx/host.access.log  main;
+http {
+  include mime.types;
+  client_body_temp_path /tmp/client_temp;
+  proxy_temp_path       /tmp/proxy_temp_path;
+  fastcgi_temp_path     /tmp/fastcgi_temp;
+  uwsgi_temp_path       /tmp/uwsgi_temp;
+  scgi_temp_path        /tmp/scgi_temp;
+  
+    server {
+        listen       8081;
 
 
-    location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-        try_files $uri /index.html =404;
-    }
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+            try_files $uri /index.html =404;
+        }
 
-    #error_page  404              /404.html;
+        #error_page  404              /404.html;
 
-    # redirect server error pages to the static page /50x.html
-    #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
     }
 
 
