Dockerfile

micro-lc · Jul 24, 2024 · 77b221e · 77b221e
1 parent 1b012f5
commit 77b221e
Show file tree

Hide file tree

Showing 8 changed files with 148 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,42 @@
+FROM node:20-alpine AS builder
+
+WORKDIR /builder
+
+COPY .yarn/releases .yarn/releases
+COPY src src
+COPY .yarnrc.yml .yarnrc.yml
+COPY package.json package.json
+COPY settings.json settings.json
+COPY vite.config.ts vite.config.ts
+COPY yarn.lock yarn.lock
+
+RUN yarn install --immutable
+RUN yarn build
+
+########################################################################################################################
+
+FROM nginx:1.25.4-alpine
+
+RUN apk add --no-cache --upgrade \
+  # - stop vulnerabilities:package HIGH Vulnerability found in os package type (APKG) - libexpat (fixed in: 2.6.0-r0)(CVE-2023-52425 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425)
+  libexpat=2.6.2-r0 \
+  # - stop vulnerabilities:package HIGH Vulnerability found in os package type (APKG) - libxml2 (fixed in: 2.11.7-r0)(CVE-2024-25062 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062)
+  libxml2=2.11.7-r0 
+
+LABEL name="mia_template_service_name_placeholder" \
+      description="%CUSTOM_PLUGIN_SERVICE_DESCRIPTION%" \
+      eu.mia-platform.url="https://www.mia-platform.eu" \
+      eu.mia-platform.version="0.0.1"
+
+COPY nginx /etc/nginx
+
+RUN touch ./off \
+  && chmod o+rw ./off \
+  && echo "mia_template_service_name_placeholder: $COMMIT_SHA" >> /etc/nginx/commit.sha
+
+WORKDIR /usr/static
+
+COPY LICENSE LICENSE
+COPY --from=builder /builder/dist ./
+
+USER nginx
diff --git a/nginx/conf.d/website.conf b/nginx/conf.d/website.conf
@@ -0,0 +1,8 @@
+location / {
+  include /etc/nginx/security.d/cross-site_script.conf;
+  add_header 'Content-Security-Policy' "default-src 'self'; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'" always;
+
+  expires $expires;
+
+  try_files $uri $uri/index.html /index.html =404;
+}
diff --git a/nginx/filehandle_cache.conf b/nginx/filehandle_cache.conf
@@ -0,0 +1,4 @@
+open_file_cache max=5000 inactive=20s;
+open_file_cache_valid 60s;
+open_file_cache_min_uses 2;
+open_file_cache_errors on;
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -0,0 +1,41 @@
+worker_processes 2;
+
+error_log /var/log/nginx/error.log warn;
+
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 4096;
+}
+
+http {
+
+  client_body_temp_path /tmp/client_temp;
+  proxy_temp_path       /tmp/proxy_temp_path;
+  fastcgi_temp_path     /tmp/fastcgi_temp;
+  uwsgi_temp_path       /tmp/uwsgi_temp;
+  scgi_temp_path        /tmp/scgi_temp;
+
+  log_format x_real_ip '$remote_addr $original_request_host [$time_iso8601] "$request" $status $bytes_sent '
+                       '"$http_referer" "$http_user_agent" - $request_time - $original_request_id';
+
+  include /etc/nginx/variables.conf;
+  access_log /var/log/nginx/access.log x_real_ip buffer=32k flush=5m if=$loggable;
+
+  server_tokens off;
+  tcp_nopush on;
+  tcp_nodelay on;
+  sendfile on;
+
+  include /etc/nginx/mime.types;
+  include /etc/nginx/filehandle_cache.conf;
+  include /etc/nginx/real_ip.conf;
+
+  server {
+    listen 8080 default_server;
+    listen [::]:8080 default_server;
+
+    root /usr/static;
+    include /etc/nginx/conf.d/website.conf;
+  }
+}
diff --git a/nginx/real_ip.conf b/nginx/real_ip.conf
@@ -0,0 +1,8 @@
+set_real_ip_from 127.0.0.1; # trust localhost
+set_real_ip_from unix:; # trust local unix socket
+set_real_ip_from 10.0.0.0/8; # trust class A private networks
+set_real_ip_from 172.16.0.0/12; # trust class B private networks
+set_real_ip_from 192.168.0.0/16; # trust class C private networks
+
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
diff --git a/nginx/security.d/cross-site_script.conf b/nginx/security.d/cross-site_script.conf
@@ -0,0 +1,2 @@
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+add_header 'X-XSS-Protection' "1; mode=block" always;
diff --git a/nginx/security.d/default_content_security.conf b/nginx/security.d/default_content_security.conf
@@ -0,0 +1,2 @@
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+add_header 'Content-Security-Policy' "default-src 'self'" always;
diff --git a/nginx/variables.conf b/nginx/variables.conf
@@ -0,0 +1,41 @@
+map $remote_addr $ip_loggable {
+  default 1;
+  "127.0.0.1" 0;
+}
+
+map $http_user_agent $agent_loggable {
+  default 1;
+  "~^kube-probe" 0;
+}
+
+map $ip_loggable-$agent_loggable $loggable {
+  default 0;
+  "1-1" 1;
+}
+
+# Get the request id from the upstream if exists or generate a new one
+map $http_x_request_id $original_request_id {
+  default $http_x_request_id;
+  '' $request_id;
+}
+
+# Get the best host name possible from the upstream or client headers
+map $http_x_forwarded_host $original_request_host {
+  default $http_x_forwarded_host;
+  '' $host;
+}
+
+# Get the original request scheme
+map $http_x_forwarded_proto $original_request_scheme {
+  default $http_x_forwarded_proto;
+  '' $scheme;
+}
+
+map $sent_http_content_type $expires {
+  default off;
+  "~text/html" epoch;
+  "~text/css" max;
+  "~application/javascript" max;
+  "~image/" max;
+  "~font/" max;
+}