fix(docker): non-root user

Author: mickael-garrido

Dockerfile

@@ -11,8 +11,12 @@ ADD nginx.manifest.stale.conf /opt/openresty/nginx/conf/nginx.manifest.stale.con
 ADD proxy_auth.lua /opt/openresty/nginx/conf/proxy_auth.lua
 
 RUN apk add --no-cache --update bash openssl \
-  && mkdir -p /docker_mirror_cache /certs \
-  && chmod +x /generate-certificate.sh /entrypoint.sh
+  && mkdir -p /docker_mirror_cache /certs /opt/openresty/nginx/tmp \
+  && bash -c 'mkdir -p /opt/openresty/nginx/tmp/{client_body,proxy,fastcgi,scgi,uwsgi}' \
+  && chmod +x /generate-certificate.sh /entrypoint.sh \
+  && chmod -R g+rwX /opt/openresty/nginx/conf \
+  && chmod g+rwX /certs \
+  && chmod -R g+rwX /opt/openresty/nginx/tmp
 
 VOLUME /docker_mirror_cache
 VOLUME /certs
@@ -75,5 +79,7 @@ ENV PROXY_CONNECT_SEND_TIMEOUT="60s"
 # Allow disabling IPV6 resolution, default to false
 ENV DISABLE_IPV6="false"
 
+USER 1001
+
 # Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
 ENTRYPOINT ["/entrypoint.sh"]

Dockerfile.openresty

@@ -47,6 +47,6 @@ STOPSIGNAL SIGQUIT
 
 ENV PATH="$PATH:/opt/openresty/luajit/bin:/opt/openresty/nginx/sbin:/opt/openresty/bin"
 
-EXPOSE 80
+EXPOSE 3128
 
 CMD ["/opt/openresty/bin/openresty", "-g", "daemon off;"]

entrypoint.sh

@@ -48,7 +48,7 @@ echo -n "" >/opt/openresty/nginx/conf/docker.intercept.map
 # Some hosts/registries are always needed, but others can be configured in env var REGISTRIES
 for ONEREGISTRYIN in docker.caching.proxy.internal registry-1.docker.io auth.docker.io ${REGISTRIES}; do
   ONEREGISTRY=$(echo ${ONEREGISTRYIN} | xargs) # Remove whitespace
-  echo "${ONEREGISTRY} 127.0.0.1:443;" >>/opt/openresty/nginx/conf/docker.intercept.map
+  echo "${ONEREGISTRY} 127.0.0.1:8443;" >>/opt/openresty/nginx/conf/docker.intercept.map
 done
 
 # Clean the list and generate certificates.
@@ -90,8 +90,8 @@ if [ "$AUTH_REGISTRIES" ]; then
   done
 fi
 
-# create default config for the caching layer to listen on 443.
-echo "        listen 443 ssl default_server;" >/opt/openresty/nginx/conf/caching.layer.listen
+# create default config for the caching layer to listen on 8443.
+echo "        listen 8443 ssl default_server;" >/opt/openresty/nginx/conf/caching.layer.listen
 
 # Set Docker Registry cache size, by default, 32 GB ('32g')
 CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-32g}
@@ -167,7 +167,7 @@ else
         return 405  "DELETE method is not allowed";
     }
 EOF
-  if [ "$UPSTREAM_REGISTRIES" ]; then
+  if [[ -v UPSTREAM_REGISTRIES ]]; then
     UPSTREAM_REGISTRIES_DELIMITER=${UPSTREAM_REGISTRIES_DELIMITER:-" "}
     s=$UPSTREAM_REGISTRIES$UPSTREAM_REGISTRIES_DELIMITER
     upstream_array=()

nginx.conf

@@ -1,6 +1,6 @@
 worker_processes  auto;
 
-pid        /var/run/nginx.pid;
+pid        "/opt/openresty/nginx/tmp/nginx.pid";
 
 events {
     worker_connections  1024;
@@ -18,6 +18,12 @@ http {
     proxy_buffer_size   128k;
     proxy_buffers   4 256k;
 
+    client_body_temp_path  "/opt/openresty/nginx/tmp/client_body" 1 2;
+    proxy_temp_path        "/opt/openresty/nginx/tmp/proxy" 1 2;
+    fastcgi_temp_path      "/opt/openresty/nginx/tmp/fastcgi" 1 2;
+    scgi_temp_path         "/opt/openresty/nginx/tmp/scgi" 1 2;
+    uwsgi_temp_path        "/opt/openresty/nginx/tmp/uwsgi" 1 2;
+
     # Use a debug-oriented logging format.
     log_format debugging escape=json
       '{'
@@ -165,9 +171,8 @@ http {
 
     # The caching layer
     server {
-        # Listen on both 80 and 443, for all hostnames.
-        # actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
-        listen 80 default_server;
+        # Listen on both 8080 and 8443, for all hostnames.
+        listen 8080 default_server;
         include /opt/openresty/nginx/conf/caching.layer.listen;
         server_name proxy_caching_;