non-root

gameontext · Oct 14, 2020 · 58d6915 · 58d6915
1 parent 7327347
commit 58d6915
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 19 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -12,10 +12,16 @@ RUN wget https://github.com/coreos/etcd/releases/download/v${ETCD_VERSION}/etcd-
   && rm etcd-v${ETCD_VERSION}-linux-amd64.tar.gz \
   && mv etcdctl /usr/local/bin/etcdctl
 
+RUN touch /var/run/nginx.pid && \
+  chown -R nginx:nginx /var/run/nginx.pid && \
+  chown -R nginx:nginx /var/cache/nginx
+
 COPY nginx.conf        /etc/nginx/nginx.conf
 COPY startup.sh        /opt/startup.sh
 
+USER nginx
 EXPOSE 8080
+EXPOSE 8443
 
 ENTRYPOINT ["/opt/startup.sh"]
 

diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,3 @@
-user nginx;
 worker_processes  1;
 daemon off;
 
@@ -114,11 +113,10 @@ http {
 
   ## 80 -- Redirect almost everything to SSL
   server {
-    listen    80 default;
+    listen    8080 default;
 
     location /health {
       access_log  off;
-      error_log   off;
       default_type application/json;
       return 200  '{"status":"UP"}';
     }
@@ -130,12 +128,12 @@ http {
 
   ## 443 == proxy everything elsewhere
   server {
-    listen    443 ssl;
+    listen    8443 ssl;
     access_log /var/log/nginx/access.log json_combined;
 
     server_name $host;
-    ssl_certificate     /etc/cert/server.pem;
-    ssl_certificate_key /etc/cert/private.pem;
+    ssl_certificate     /tmp/proxy-cert/server.pem;
+    ssl_certificate_key /tmp/proxy-cert/private.pem;
 
     location / {
       set $upstream_webapp  http://webapp:8080;
@@ -188,5 +186,11 @@ http {
       set $upstream_swagger http://swagger:8080;
       proxy_pass $upstream_swagger$request_uri;
     }
+
+    location /alive {
+      access_log  off;
+      default_type application/json;
+      return 200  '{"status":"UP"}';
+    }
   }
 }
diff --git a/startup.sh b/startup.sh
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+conf_dir=/tmp
+cert_dir=/tmp/proxy-cert
+mkdir ${cert_dir}
+
 log() {
   if [ "${GAMEON_LOG_FORMAT}" == "json" ]; then
     # This needs to be escaped using jq
@@ -9,6 +13,9 @@ log() {
   fi
 }
 
+log "using /tmp for config"
+cp /etc/nginx/nginx.conf ${conf_dir}/nginx.conf
+
 if [ "$ETCDCTL_ENDPOINT" != "" ]; then
   log "Setting up etcd..."
   etcdctl --debug ls
@@ -22,27 +29,32 @@ if [ "$ETCDCTL_ENDPOINT" != "" ]; then
   done
   log "etcdctl returned sucessfully, continuing"
 
-  mkdir -p /etc/cert
-  etcdctl get /proxy/third-party-ssl-cert > /etc/cert/cert.pem
+  etcdctl get /proxy/third-party-ssl-cert > ${cert_dir}/cert.pem
+else
+  log "Setting up certificate..."
+  cp /etc/cert/cert.pem ${cert_dir}/cert.pem
 fi
 
-if [ ! -f /etc/cert/cert.pem ]; then
-  log "Unable to find certificate /etc/cert/cert.pem"
+if [ ! -f ${cert_dir}/cert.pem ]; then
+  log "Unable to find certificate"
   exit 1
+else
+  old_dir=$PWD
+  cd ${cert_dir}
+  awk '/-----BEGIN.*PRIVATE KEY-----/{x=++i}{print > "something"x".pem"}' cert.pem
+  mv something.pem server.pem
+  mv something1.pem private.pem
+  cd $old_dir
 fi
 
-if [ ! -f /etc/cert/private.pem ]; then
-  awk '/-----BEGIN.*PRIVATE KEY-----/{x=++i}{print > "something"x".pem"}' /etc/cert/cert.pem
-  mv something.pem /etc/cert/server.pem
-  mv something1.pem /etc/cert/private.pem
-  find /etc/cert/
-fi
+ls -al /var/cache/nginx
+whoami
 
 if [ "${GAMEON_LOG_FORMAT}" == "json" ]; then
-  sed -i -e "s/access\.log .*$/access.log json_combined;/" /etc/nginx/nginx.conf
+  sed -i -e "s/access\.log .*$/access.log json_combined;/" ${conf_dir}/nginx.conf
 else
-  sed -i -e "s/access\.log .*$/access.log combined;/" /etc/nginx/nginx.conf
+  sed -i -e "s/access\.log .*$/access.log combined;/" ${conf_dir}/nginx.conf
 fi
 
 log "Init complete. Starting nginx"
-exec nginx
+exec nginx -c ${conf_dir}/nginx.conf