From ffddca2a7de56d7f80cab95bddbed3a25d2a27d2 Mon Sep 17 00:00:00 2001 From: alam00000 Date: Sat, 4 Apr 2026 12:46:48 +0530 Subject: [PATCH] fix: reverted nginx base image to use unprivileged version --- Dockerfile | 9 ++++----- Dockerfile.nonroot | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9d7db3c..93f5699 100644 --- a/Dockerfile +++ b/Dockerfile @@ -71,8 +71,7 @@ RUN --mount=type=secret,id=VITE_CORS_PROXY_URL \ npm run build:with-docs # Production stage -# TODO@ALAM: Change to quay/nginxinc-unprivileged once 1.28.3 is available -FROM nginx:1.28.3-alpine-slim +FROM quay.io/nginx/nginx-unprivileged:alpine-slim LABEL org.opencontainers.image.source="https://github.com/alam00000/bentopdf" LABEL org.opencontainers.image.url="https://github.com/alam00000/bentopdf" @@ -83,14 +82,14 @@ ARG BASE_URL # Set this to "true" to disable Nginx listening on IPv6 ENV DISABLE_IPV6=false +USER root RUN apk upgrade --no-cache +USER nginx COPY --chown=nginx:nginx --from=builder /app/dist /usr/share/nginx/html${BASE_URL%/} COPY --chown=nginx:nginx nginx.conf /etc/nginx/nginx.conf COPY --chown=nginx:nginx --chmod=755 nginx-ipv6.sh /docker-entrypoint.d/99-disable-ipv6.sh -RUN mkdir -p /etc/nginx/tmp /var/cache/nginx && chown -R nginx:nginx /etc/nginx /var/cache/nginx - -USER nginx +RUN mkdir -p /etc/nginx/tmp && chown -R nginx:nginx /etc/nginx/tmp EXPOSE 8080 CMD ["nginx", "-g", "daemon off;"] diff --git a/Dockerfile.nonroot b/Dockerfile.nonroot index 30a46e2..cc64aef 100644 --- a/Dockerfile.nonroot +++ b/Dockerfile.nonroot @@ -64,7 +64,7 @@ RUN --mount=type=secret,id=VITE_CORS_PROXY_URL \ npm run build:with-docs # Production stage — uses standard nginx (starts as root, drops to PUID/PGID) -FROM nginx:1.28.3-alpine-slim +FROM nginx:alpine-slim LABEL org.opencontainers.image.source="https://github.com/alam00000/bentopdf" LABEL org.opencontainers.image.url="https://github.com/alam00000/bentopdf"