feat(security): do not run nginx as root (#227)

thomasleplus · web-flow · commit 07c30d9b3385 · 2025-10-04T13:37:12.000+02:00
diff --git a/openid-connect-provider-debugger/Dockerfile b/openid-connect-provider-debugger/Dockerfile
@@ -1,6 +1,10 @@
 FROM openresty/openresty:1.27.1.2-4-alpine-fat@sha256:e93c5ab42fb6c7a882418c2bad0b39b566759f88c3fdd62f97264b621b6cba80
 
 ARG LUA_RESTY_OPENIDC_VERSION="1.8.0-1"
+ARG USER_NAME=openresty
+ARG USER_HOME=/home/openresty
+ARG USER_ID=1000
+ARG USER_GECOS=OpenResty
 
 SHELL ["/bin/ash", "-euo", "pipefail", "-c"]
 
@@ -29,4 +33,18 @@ COPY default.conf /etc/nginx/conf.d/
 
 COPY index.html error.html /usr/local/openresty/nginx/html/
 
+RUN adduser \
+  --home "${USER_HOME}" \
+  --uid "${USER_ID}" \
+  --gecos "${USER_GECOS}" \
+  --disabled-password \
+  "${USER_NAME}" \
+  && chown -R "${USER_NAME}:${USER_NAME}" /var/run/openresty /usr/local/openresty/nginx/logs
+
+USER "${USER_NAME}"
+
+ENV HOME="${USER_HOME}"
+
+WORKDIR "${HOME}"
+
 EXPOSE 80 443
diff --git a/openid-connect-provider-debugger/nginx.conf.patch b/openid-connect-provider-debugger/nginx.conf.patch
@@ -1,11 +1,13 @@
 --- /usr/local/openresty/nginx/conf/nginx.conf	2020-05-14 13:27:29.168451660 -0700
 +++ /usr/local/openresty/nginx/conf/nginx.conf	2020-05-14 13:28:29.583197857 -0700
-@@ -24,6 +24,17 @@
+@@ -24,6 +24,19 @@
 
 
  
 +error_log /dev/stderr debug;
 +
++user openresty;
++
 +env oidc_client_id;
 +env oidc_client_secret;
 +env oidc_discovery;
