feat: enhance Docker and Nginx configurations for security hardening and improved directory management

2025-12-22 11:51:56 +01:00
parent aca955972a
commit e76bf53986
8 changed files with 153 additions and 39 deletions
@@ -1,19 +1,56 @@
-# Backend build
-FROM node:25-slim AS builder
-WORKDIR /app
-COPY package.json tsconfig.json ./
-COPY src ./src
-RUN npm install
-RUN npm run build
-RUN npm prune --omit=dev
+# =============================================================================
+# BACKEND DOCKERFILE - Security Hardened
+# =============================================================================
+# Security measures applied:
+# - Non-root user execution
+# - Multi-stage build (minimal runtime image)
+# - No shell in final image (distroless)
+# - Read-only filesystem compatible
+# - No unnecessary packages
+# - Specific image versions pinned
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Stage 1: Builder
+# -----------------------------------------------------------------------------
+FROM node:22-slim AS builder

-# Runtime
-FROM node:25-slim AS runner
 WORKDIR /app
+
+# Install dependencies first (better layer caching)
+COPY package.json package-lock.json* ./
+RUN npm ci --ignore-scripts
+
+# Copy source and build
+COPY tsconfig.json ./
+COPY src ./src
+RUN npm run build
+
+# Remove dev dependencies for smaller image
+RUN npm ci --omit=dev --ignore-scripts && \
+    npm cache clean --force
+
+# -----------------------------------------------------------------------------
+# Stage 2: Production Runtime (Distroless - no shell, minimal attack surface)
+# -----------------------------------------------------------------------------
+FROM gcr.io/distroless/nodejs22-debian12 AS runner
+
+WORKDIR /app
+
+# Copy built application with correct ownership (nonroot = uid 65532)
+COPY --from=builder --chown=65532:65532 /app/node_modules ./node_modules
+COPY --from=builder --chown=65532:65532 /app/dist ./dist
+COPY --from=builder --chown=65532:65532 /app/package.json ./
+
+# Environment configuration
 ENV NODE_ENV=production
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/dist ./dist
-COPY package.json .
+ENV PORT=3000
+
+# Expose application port
 EXPOSE 3000
-# Run database setup before starting the server
-CMD ["sh", "-c", "mkdir -p /app/data && node dist/db/migrate.js && node dist/index.js"]
+
+# Run as non-root user (distroless default user)
+USER nonroot
+
+# Start application - migrations handled in index.ts
+CMD ["dist/index.js"]
@@ -1542,7 +1542,6 @@
      "resolved": "https://registry.npmjs.org/@libsql/client/-/client-0.10.0.tgz",
      "integrity": "sha512-2ERn08T4XOVx34yBtUPq0RDjAdd9TJ5qNH/izugr208ml2F94mk92qC64kXyDVQINodWJvp3kAdq6P4zTtCZ7g==",
      "license": "MIT",
-      "peer": true,
      "dependencies": {
        "@libsql/core": "^0.10.0",
        "@libsql/hrana-client": "^0.6.2",
@@ -1,10 +1,23 @@
 import { createClient } from "@libsql/client";
 import { drizzle } from "drizzle-orm/libsql";
+import { existsSync, mkdirSync } from "fs";
+import { dirname } from "path";
 import dotenv from "dotenv";

 dotenv.config({ path: process.env.DOTENV_PATH || ".env" });

 const url = process.env.DATABASE_URL || "file:./data/medassist.db";
+
+// Ensure data directory exists before creating database
+if (url.startsWith("file:")) {
+  const dbPath = url.replace("file:", "");
+  const dataDir = dirname(dbPath);
+  if (!existsSync(dataDir)) {
+    mkdirSync(dataDir, { recursive: true });
+    console.log(`[DB] Created data directory: ${dataDir}`);
+  }
+}
+
 const client = createClient({ url });

 export const db = drizzle(client);