feat: enhance Docker and Nginx configurations for security hardening and improved directory management
This commit is contained in:
Daniel Volz
+52
-15
@@ -1,19 +1,56 @@
|
||||
# Backend build
|
||||
FROM node:25-slim AS builder
|
||||
WORKDIR /app
|
||||
COPY package.json tsconfig.json ./
|
||||
COPY src ./src
|
||||
RUN npm install
|
||||
RUN npm run build
|
||||
RUN npm prune --omit=dev
|
||||
# =============================================================================
|
||||
# BACKEND DOCKERFILE - Security Hardened
|
||||
# =============================================================================
|
||||
# Security measures applied:
|
||||
# - Non-root user execution
|
||||
# - Multi-stage build (minimal runtime image)
|
||||
# - No shell in final image (distroless)
|
||||
# - Read-only filesystem compatible
|
||||
# - No unnecessary packages
|
||||
# - Specific image versions pinned
|
||||
# =============================================================================
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Stage 1: Builder
|
||||
# -----------------------------------------------------------------------------
|
||||
FROM node:22-slim AS builder
|
||||
|
||||
# Runtime
|
||||
FROM node:25-slim AS runner
|
||||
WORKDIR /app
|
||||
|
||||
# Install dependencies first (better layer caching)
|
||||
COPY package.json package-lock.json* ./
|
||||
RUN npm ci --ignore-scripts
|
||||
|
||||
# Copy source and build
|
||||
COPY tsconfig.json ./
|
||||
COPY src ./src
|
||||
RUN npm run build
|
||||
|
||||
# Remove dev dependencies for smaller image
|
||||
RUN npm ci --omit=dev --ignore-scripts && \
|
||||
npm cache clean --force
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Stage 2: Production Runtime (Distroless - no shell, minimal attack surface)
|
||||
# -----------------------------------------------------------------------------
|
||||
FROM gcr.io/distroless/nodejs22-debian12 AS runner
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# Copy built application with correct ownership (nonroot = uid 65532)
|
||||
COPY --from=builder --chown=65532:65532 /app/node_modules ./node_modules
|
||||
COPY --from=builder --chown=65532:65532 /app/dist ./dist
|
||||
COPY --from=builder --chown=65532:65532 /app/package.json ./
|
||||
|
||||
# Environment configuration
|
||||
ENV NODE_ENV=production
|
||||
COPY --from=builder /app/node_modules ./node_modules
|
||||
COPY --from=builder /app/dist ./dist
|
||||
COPY package.json .
|
||||
ENV PORT=3000
|
||||
|
||||
# Expose application port
|
||||
EXPOSE 3000
|
||||
# Run database setup before starting the server
|
||||
CMD ["sh", "-c", "mkdir -p /app/data && node dist/db/migrate.js && node dist/index.js"]
|
||||
|
||||
# Run as non-root user (distroless default user)
|
||||
USER nonroot
|
||||
|
||||
# Start application - migrations handled in index.ts
|
||||
CMD ["dist/index.js"]
|
||||
|
||||
Reference in New Issue
Block a user