The nginx-unprivileged base image runs as non-root, so RUN chmod
on / fails with 'Operation not permitted'. Use COPY --chmod=755
to set the executable bit at build time instead.
Add entrypoint wrapper that translates LOG_LEVEL into nginx
access_log control. When LOG_LEVEL is warn or higher, nginx
access logs are suppressed. The frontend container now receives
LOG_LEVEL via env_file (.env) — no new env vars needed.
Revert Dockerfile to use /tmp redirect for envsubst output, so the image
works regardless of docker-compose.yml tmpfs configuration. Removes the
uid=101,gid=101 requirement from compose that was a breaking change.
Remove Dockerfile /tmp workaround hacks (NGINX_ENVSUBST_OUTPUT_DIR and sed).
Use tmpfs with uid=101,gid=101 in docker-compose.yml instead, so the
nginx user can write to /etc/nginx/conf.d directly under read_only: true.
Redirect NGINX_ENVSUBST_OUTPUT_DIR to /tmp and update nginx.conf include
path so envsubst works with read_only: true in docker-compose.
Add tmpfs mount for /etc/nginx/conf.d for additional write layer.
Fixes#96
- nginx.conf converted to template processed by envsubst at container start
- BACKEND_URL env var (default: backend:3000) replaces hardcoded container name
- Docker DNS resolver used for dynamic upstream resolution
- Dockerfile copies nginx.conf as template to /etc/nginx/templates/
This prevents frontend breakage when users customize container names
in their docker-compose.yml.
Daniel Volz