diff --git a/CHANGES.md b/CHANGES.md index 55a2deb81..4027a9d3c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,8 @@ ### :boom: Breaking changes & Deprecations +- Use [nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged) as base image for Penpot's frontend docker image. Now all the docker images runs with the same unprivileged user (penpot). Because of that, the default NGINX listen port now is 8080, instead of 80, so you will have to modify your infrastructure to apply this change. + ### :heart: Community contributions (Thank you!) ### :sparkles: New features diff --git a/docker/images/Dockerfile.frontend b/docker/images/Dockerfile.frontend index 0edc1b2d9..dd6385cec 100644 --- a/docker/images/Dockerfile.frontend +++ b/docker/images/Dockerfile.frontend @@ -1,6 +1,8 @@ -FROM nginx:1.23 +FROM nginxinc/nginx-unprivileged:1.27.1 LABEL maintainer="Andrey Antukh " +USER root + RUN set -ex; \ useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \ mkdir -p /opt/data/assets; \ @@ -12,5 +14,13 @@ ADD ./files/nginx.conf /etc/nginx/nginx.conf.template ADD ./files/nginx-mime.types /etc/nginx/mime.types ADD ./files/nginx-entrypoint.sh /entrypoint.sh +RUN chown -R 1001:0 /var/cache/nginx; \ + chmod -R g+w /var/cache/nginx; \ + chown -R 1001:0 /etc/nginx; \ + chmod -R g+w /etc/nginx; \ + chown -R 1001:0 /var/www; \ + chmod -R g+w /var/www; + +USER penpot:penpot ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] CMD ["nginx", "-g", "daemon off;"] diff --git a/docker/images/docker-compose.yaml b/docker/images/docker-compose.yaml index d16402ce5..6e0d47652 100644 --- a/docker/images/docker-compose.yaml +++ b/docker/images/docker-compose.yaml @@ -35,7 +35,7 @@ services: image: "penpotapp/frontend:latest" restart: always ports: - - 9001:80 + - 9001:8080 volumes: - penpot_assets:/opt/data/assets diff --git a/docker/images/files/nginx.conf b/docker/images/files/nginx.conf index fee0e3fca..ee2f64175 100644 --- a/docker/images/files/nginx.conf +++ b/docker/images/files/nginx.conf @@ -1,6 +1,5 @@ -user www-data; worker_processes auto; -pid /run/nginx.pid; +pid /tmp/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { @@ -9,6 +8,12 @@ events { } http { + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + sendfile on; tcp_nopush on; tcp_nodelay on; @@ -56,7 +61,7 @@ http { include /etc/nginx/overrides.d/*.conf; server { - listen 80 default_server; + listen 8080 default_server; server_name _; client_max_body_size 100M;