107 lines
2.8 KiB
Markdown
107 lines
2.8 KiB
Markdown
# Security Configuration
|
|
|
|
## Non-Root User Support
|
|
|
|
BentoPDF now uses nginx-unprivileged for enhanced security. This follows the Principle of Least Privilege and is essential for production environments.
|
|
|
|
### Security Benefits
|
|
|
|
- **Reduced Attack Surface**: If compromised, attackers won't have root privileges
|
|
- **Compliance**: Meets security standards like SOC 2, PCI DSS
|
|
- **Kubernetes/OpenShift Compatibility**: Works with security policies that require non-root execution
|
|
- **System Protection**: Prevents system-wide damage if the application is compromised
|
|
|
|
### Usage
|
|
|
|
#### Default Configuration (nginx-unprivileged)
|
|
```bash
|
|
docker build -t bentopdf .
|
|
docker run -p 8080:8080 bentopdf
|
|
```
|
|
|
|
#### Simple Mode
|
|
```bash
|
|
# Build with simple mode enabled
|
|
docker build --build-arg SIMPLE_MODE=true -t bentopdf-simple .
|
|
|
|
# Run the container
|
|
docker run -p 8080:8080 bentopdf-simple
|
|
```
|
|
|
|
#### Kubernetes Example
|
|
```yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: bentopdf
|
|
spec:
|
|
template:
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 2000
|
|
runAsGroup: 2000
|
|
containers:
|
|
- name: bentopdf
|
|
image: bentopdf:latest
|
|
ports:
|
|
- containerPort: 8080
|
|
```
|
|
|
|
#### Docker Compose Example
|
|
```yaml
|
|
version: '3.8'
|
|
services:
|
|
bentopdf:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
args:
|
|
SIMPLE_MODE: false
|
|
ports:
|
|
- "8080:8080"
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
```
|
|
|
|
### Verification
|
|
|
|
To verify the container is running as non-root:
|
|
|
|
```bash
|
|
# Check the user inside the container
|
|
docker exec <container_id> whoami
|
|
# Should output: nginx
|
|
|
|
# Check the user ID
|
|
docker exec <container_id> id
|
|
# Should show UID/GID for nginx user (typically 101)
|
|
```
|
|
|
|
### Security Best Practices
|
|
|
|
1. **Use nginx-unprivileged**: Built-in non-root user with minimal privileges
|
|
2. **Regular Updates**: Keep the base image updated (currently using 1.29-alpine)
|
|
3. **Port 8080**: Use high port numbers to avoid requiring root privileges
|
|
4. **Security Scanning**: Regularly scan images for vulnerabilities
|
|
5. **Network Policies**: Implement network segmentation
|
|
|
|
### Troubleshooting
|
|
|
|
If you encounter permission issues:
|
|
|
|
1. **Check file ownership**: Ensure all application files are owned by the nginx user
|
|
2. **Verify PID directory**: Ensure `/etc/nginx/tmp/` directory exists and is writable
|
|
3. **Port binding**: Ensure port 8080 is available and not blocked by firewall
|
|
|
|
### Migration from Root
|
|
|
|
If migrating from a root-based setup:
|
|
|
|
1. Update your Dockerfile to use nginx-unprivileged base image
|
|
2. Change port mappings from 80 to 8080 in all configurations
|
|
3. Update nginx.conf to use `/etc/nginx/tmp/nginx.pid` for PID file
|
|
4. Rebuild your images with the new security settings
|
|
5. Update your deployment configurations (Kubernetes, Docker Compose, etc.)
|
|
6. Test thoroughly in a staging environment
|