Get unpriv nginx working

Added custom script for nginx.conf

Added healthcheck endpoint at /healthz

Optimised nginx.conf with caching and IP headers for security logging

Dockerfile

@@ -1,17 +1,40 @@
+# syntax = docker/dockerfile:latest
+
 # build stage
 FROM node:lts-alpine AS build-stage
+
 # Set environment variables for non-interactive npm installs
 ENV NPM_CONFIG_LOGLEVEL warn
 ENV CI true
+
 WORKDIR /app
+
 COPY package.json pnpm-lock.yaml ./
-RUN npm install -g pnpm && pnpm i --frozen-lockfile
+
+RUN npm install -g pnpm
+RUN pnpm i --frozen-lockfile
+
 COPY . .
+
 RUN pnpm build
 
 # production stage
-FROM nginx:stable-alpine AS production-stage
+FROM nginxinc/nginx-unprivileged:1.25.2-alpine AS production-stage
-COPY --from=build-stage /app/dist /usr/share/nginx/html
+
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+USER root
-EXPOSE 80
+
+ARG UID=101
+ARG GID=101
+
+COPY --from=build-stage /app/dist /usr/share/nginx/html/
+COPY --link --chmod=755 scripts/nginx/*.sh /docker-entrypoint.d/
+
+RUN chown $UID:0 /usr/share/nginx/html/index.html
+
+# COPY nginx.conf /etc/nginx/conf.d/default.conf
+USER $UID
+
+# Document what port is required
+EXPOSE 8080
+
 CMD ["nginx", "-g", "daemon off;"]

nginx.conf

@@ -1,10 +0,0 @@
-server {
-    listen 80;
-    server_name localhost;
-    root /usr/share/nginx/html;
-    index index.html;
-
-    location / {
-        try_files $uri $uri/ /index.html;
-    }
-}

scripts/nginx/70-nginx.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+
+set -eu
+
+PORT="${PORT:-"8080"}"
+
+# Create nginx conf with port variable
+tee /etc/nginx/nginx.conf << 'EOF' >/dev/null
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+events {
+    accept_mutex off;
+    worker_connections  1024;
+}
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    proxy_cache_path /tmp/mycache keys_zone=mycache:50m;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+    include       /etc/nginx/conf.d/*.conf;
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile_max_chunk 512k;
+    sendfile        on;
+    tcp_nopush     on;
+    keepalive_timeout  65;
+    gzip  on;
+
+    server {
+        # add proxy caches
+        listen       ${PORT};
+
+        root /usr/share/nginx/html;
+        index index.html;
+
+        # Make site accessible from http://localhost/
+        server_name _;
+
+        error_page 404 /index.html;
+
+        location /healthz {
+            return 200;
+        }
+    }
+}
+EOF
+
+# Apply port variable
+sed -i s/'${PORT}'/${PORT}/g /etc/nginx/nginx.conf
+
+echo ""
+echo "#####################"
+echo "Nginx running on port $PORT"
+echo "#####################"
+echo ""
+
+exec "$@"