299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
61 lines
1.6 KiB
Django/Jinja
61 lines
1.6 KiB
Django/Jinja
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
|
# because it allows us to run nginx with a non-root user.
|
|
#
|
|
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
|
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
|
|
#
|
|
# The following changes have been done compared to a default nginx configuration file:
|
|
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
|
|
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
|
# - the `user` directive was removed, as we don't want nginx to switch users
|
|
|
|
worker_processes 1;
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /tmp/nginx.pid;
|
|
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
|
|
http {
|
|
proxy_temp_path /tmp/proxy_temp;
|
|
client_body_temp_path /tmp/client_temp;
|
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
scgi_temp_path /tmp/scgi_temp;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
sendfile on;
|
|
#tcp_nopush on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
#gzip on;
|
|
|
|
server {
|
|
listen 8080;
|
|
server_name localhost;
|
|
|
|
location / {
|
|
root /usr/share/nginx/html;
|
|
index index.html index.htm;
|
|
}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
}
|
|
}
|