Skip to content

Commit b4d772f

Browse files
lewismarshalllewismarshall
authored
Merge pull request #79 from UKHomeOffice/nginx_user_dacm
Don't run as root
2 parents b2ef137 + 8ba3e8f commit b4d772f

File tree

7 files changed

+38
-21
lines changed

7 files changed

+38
-21
lines changed

.drone.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ pipeline:
3030

3131
services:
3232
dind:
33-
image: docker:1.11-dind
33+
image: docker:1.13-dind
3434
privileged: true
3535
command:
3636
- "-s"

.drone.yml.sig

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
eyJhbGciOiJIUzI1NiJ9.cGlwZWxpbmU6CgogIGJ1aWxkX2ltYWdlOgogICAgaW1hZ2U6IHF1YXkuaW8vdWtob21lb2ZmaWNlZGlnaXRhbC9jZW50b3MtYmFzZTpsYXRlc3QKICAgIGVudmlyb25tZW50OgogICAgICAtIERPQ0tFUl9IT1NUPXRjcDovLzEyNy4wLjAuMToyMzc1CiAgICBjb21tYW5kczoKICAgICAgLSB5dW0gaW5zdGFsbCAteSAtcSBkb2NrZXIgb3BlbnNzbCB3Z2V0CiAgICAgIC0gLi9jaS1idWlsZC5zaAogICAgd2hlbjoKICAgICAgZXZlbnQ6IFtwdWxsX3JlcXVlc3QsIHB1c2gsIHRhZ10KCiAgcHVzaF9pbWFnZToKICAgIGltYWdlOiBkb2NrZXI6MS4xMQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gRE9DS0VSX0hPU1Q9dGNwOi8vMTI3LjAuMC4xOjIzNzUKICAgIGNvbW1hbmRzOgogICAgICAtIFJFUE89ImFydGlmYWN0b3J5LWludGVybmFsLmRpZ2l0YWwuaG9tZW9mZmljZS5nb3YudWsiCiAgICAgIC0gQkFTRT0iLyIKICAgICAgLSBOQU1FPSJuZ2lueC1wcm94eSIKICAgICAgLSBGVUxMX05BTUU9IiR7UkVQT30ke0JBU0V9JHtOQU1FfSIKICAgICAgLSBET0NLRVJfVVNFUk5BTUU9Imxldi13ZWItcm9ib3QiCiAgICAgIC0gZG9ja2VyIGxvZ2luIC11PSIke0RPQ0tFUl9VU0VSTkFNRX0iIC1wPSIke0RPQ0tFUl9QQVNTV09SRH0iICIke1JFUE99IgogICAgICAtIGRvY2tlciB0YWcgbmd4ICIke0ZVTExfTkFNRX06JHtEUk9ORV9UQUd9IgogICAgICAtIGRvY2tlciB0YWcgbmd4ICIke0ZVTExfTkFNRX06bGF0ZXN0IgogICAgICAtIGRvY2tlciBwdXNoICIke0ZVTExfTkFNRX06JHtEUk9ORV9UQUd9IgogICAgICAtIGRvY2tlciBwdXNoICIke0ZVTExfTkFNRX06bGF0ZXN0IgogICAgd2hlbjoKICAgICAgZXZlbnQ6IHRhZwoKc2VydmljZXM6CiAgZGluZDoKICAgIGltYWdlOiBkb2NrZXI6MS4xMS1kaW5kCiAgICBwcml2aWxlZ2VkOiB0cnVlCiAgICBjb21tYW5kOgogICAgICAtICItcyIKICAgICAgLSAib3ZlcmxheSIK.OzQqg55eKQsD7DOlW6CzDEFItNDioORmOo1vI2y7JQI
1+
eyJhbGciOiJIUzI1NiJ9.cGlwZWxpbmU6CgogIGJ1aWxkX2ltYWdlOgogICAgaW1hZ2U6IHF1YXkuaW8vdWtob21lb2ZmaWNlZGlnaXRhbC9jZW50b3MtYmFzZTpsYXRlc3QKICAgIGVudmlyb25tZW50OgogICAgICAtIERPQ0tFUl9IT1NUPXRjcDovLzEyNy4wLjAuMToyMzc1CiAgICBjb21tYW5kczoKICAgICAgLSB5dW0gaW5zdGFsbCAteSAtcSBkb2NrZXIgb3BlbnNzbCB3Z2V0CiAgICAgIC0gLi9jaS1idWlsZC5zaAogICAgd2hlbjoKICAgICAgZXZlbnQ6IFtwdWxsX3JlcXVlc3QsIHB1c2gsIHRhZ10KCiAgcHVzaF9pbWFnZToKICAgIGltYWdlOiBkb2NrZXI6MS4xMQogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gRE9DS0VSX0hPU1Q9dGNwOi8vMTI3LjAuMC4xOjIzNzUKICAgIGNvbW1hbmRzOgogICAgICAtIFJFUE89ImFydGlmYWN0b3J5LWludGVybmFsLmRpZ2l0YWwuaG9tZW9mZmljZS5nb3YudWsiCiAgICAgIC0gQkFTRT0iLyIKICAgICAgLSBOQU1FPSJuZ2lueC1wcm94eSIKICAgICAgLSBGVUxMX05BTUU9IiR7UkVQT30ke0JBU0V9JHtOQU1FfSIKICAgICAgLSBET0NLRVJfVVNFUk5BTUU9Imxldi13ZWItcm9ib3QiCiAgICAgIC0gZG9ja2VyIGxvZ2luIC11PSIke0RPQ0tFUl9VU0VSTkFNRX0iIC1wPSIke0RPQ0tFUl9QQVNTV09SRH0iICIke1JFUE99IgogICAgICAtIGRvY2tlciB0YWcgbmd4ICIke0ZVTExfTkFNRX06JHtEUk9ORV9UQUd9IgogICAgICAtIGRvY2tlciB0YWcgbmd4ICIke0ZVTExfTkFNRX06bGF0ZXN0IgogICAgICAtIGRvY2tlciBwdXNoICIke0ZVTExfTkFNRX06JHtEUk9ORV9UQUd9IgogICAgICAtIGRvY2tlciBwdXNoICIke0ZVTExfTkFNRX06bGF0ZXN0IgogICAgd2hlbjoKICAgICAgZXZlbnQ6IHRhZwoKc2VydmljZXM6CiAgZGluZDoKICAgIGltYWdlOiBkb2NrZXI6MS4xMy1kaW5kCiAgICBwcml2aWxlZ2VkOiB0cnVlCiAgICBjb21tYW5kOgogICAgICAtICItcyIKICAgICAgLSAib3ZlcmxheSIK.fsCfmLyIOwFA4sTrzWETpFtSeUEgeNMFAvQhFFnONl0

Dockerfile

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,27 @@ ADD ./refresh_GeoIP.sh /
3939
RUN yum remove -y kernel-headers && \
4040
yum clean all
4141

42+
RUN useradd nginx && \
43+
mkdir /usr/local/openresty/naxsi/locations && \
44+
mkdir /usr/local/openresty/nginx/client_body_temp && \
45+
mkdir /usr/local/openresty/nginx/proxy_temp && \
46+
mkdir /usr/local/openresty/nginx/fastcgi_temp && \
47+
mkdir /usr/local/openresty/nginx/uwsgi_temp && \
48+
mkdir /usr/local/openresty/nginx/scgi_temp && \
49+
chown -R nginx:nginx /usr/local/openresty/naxsi/locations && \
50+
chown -R nginx:nginx /usr/local/openresty/nginx/conf && \
51+
chown -R nginx:nginx /usr/local/openresty/nginx/logs && \
52+
chown -R nginx:nginx /usr/local/openresty/nginx/client_body_temp && \
53+
chown -R nginx:nginx /usr/local/openresty/nginx/proxy_temp && \
54+
chown -R nginx:nginx /usr/local/openresty/nginx/fastcgi_temp && \
55+
chown -R nginx:nginx /usr/local/openresty/nginx/uwsgi_temp && \
56+
chown -R nginx:nginx /usr/local/openresty/nginx/scgi_temp && \
57+
chown -R nginx:nginx /usr/share/GeoIP
58+
4259
WORKDIR /usr/local/openresty
4360

4461
ENTRYPOINT ["/go.sh"]
4562

46-
EXPOSE 80
47-
EXPOSE 443
63+
EXPOSE 10080
64+
EXPOSE 10443
65+
USER nginx

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,8 +79,8 @@ This is useful when testing or for development instances or when a load-balancer
7979
* `SERVER_KEY` - Can override where to find the server's SSL key.
8080
* `SSL_CIPHERS` - Change the SSL ciphers support default only AES256+EECDH:AES256+EDH:!aNULL
8181
* `SSL_PROTOCOLS` - Change the SSL protocols supported default only TLSv1.2
82-
* `HTTP_LISTEN_PORT` - Change the default inside the container from 80.
83-
* `HTTPS_LISTEN_PORT` - Change the default inside the container from 443.
82+
* `HTTP_LISTEN_PORT` - Change the default inside the container from 10080.
83+
* `HTTPS_LISTEN_PORT` - Change the default inside the container from 10443.
8484
* `INTERNAL_LISTEN_PORT` - Change the default inside the container from 10418. Note: This is used for internal processing and is not available externally.
8585
* `HTTPS_REDIRECT` - Toggle whether or not we force redirects to HTTPS. Defaults to true.
8686
* `ALLOW_COUNTRY_CSV` - List of [country codes](http://dev.maxmind.com/geoip/legacy/codes/iso3166/) to allow.

ci-build.sh

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ set -e
44

55
TAG=ngx
66
PORT=8443
7-
START_INSTANCE="docker run --privileged=true "
7+
START_INSTANCE="docker run "
88
DOCKER_HOST_NAME=127.0.0.1
99
MUTUAL_TLS="mutual-tls"
1010
STANDARD_TLS="standard-tls"
@@ -35,7 +35,7 @@ function clean_up() {
3535
function start_test() {
3636
INSTANCE=${TAG}
3737
tear_down
38-
HTTPS_LISTEN_PORT=${HTTPS_LISTEN_PORT:-443}
38+
HTTPS_LISTEN_PORT=${HTTPS_LISTEN_PORT:-10443}
3939
echo ""
4040
echo ""
4141
echo "_____________"
@@ -89,9 +89,9 @@ start_test "Start with minimal settings" "${STD_CMD} \
8989
echo "Test it's up and working..."
9090
wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
9191
echo "Test limited protcol and SSL cipher... "
92-
docker run --link ${TAG}:${TAG}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'AES256+EECDH' -tls1_2 -connect ${TAG}:443" &> /dev/null;
92+
docker run --link ${TAG}:${TAG}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'AES256+EECDH' -tls1_2 -connect ${TAG}:10443" &> /dev/null;
9393
echo "Test sslv2 not accepted...."
94-
if docker run --link ${TAG}:${TAG}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -ssl2 -connect ${TAG}:443" &> /dev/null; then
94+
if docker run --link ${TAG}:${TAG}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -ssl2 -connect ${TAG}:10443" &> /dev/null; then
9595
echo "FAIL SSL defaults settings allow ssl2 ......"
9696
exit 2
9797
fi
@@ -116,8 +116,7 @@ start_test "Test GEODB settings can reject..." "${STD_CMD} \
116116
-e \"ADD_NGINX_LOCATION_CFG=error_page 403 /nginx-proxy/50x.shtml;\" \
117117
--link mockserver:mockserver "
118118
echo "Test GeoIP config IS rejected..."
119-
if ! curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \
120-
| grep '403 Forbidden' ; then
119+
if ! curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \/ | grep '403 Forbidden' ; then
121120
echo "We were expecting to be rejected with 403 error here - we are not in the Congo!"
122121
exit 2
123122
else
@@ -188,7 +187,7 @@ start_test "Start with SSL CIPHER set and PROTOCOL" "${STD_CMD} \
188187
-e \"SSL_CIPHERS=RC4-MD5\" \
189188
-e \"SSL_PROTOCOLS=TLSv1.1\""
190189
echo "Test excepts defined protocol and cipher....."
191-
docker run --link ${TAG}:${TAG}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'RC4-MD5' -tls1_1 -connect ${TAG}:443" &> /dev/null;
190+
docker run --link ${TAG}:${TAG} --rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'RC4-MD5' -tls1_1 -connect ${TAG}:10443" &> /dev/null;
192191

193192

194193

@@ -266,7 +265,7 @@ ${STD_CMD} -d \
266265
docker run --link "${MUTUAL_TLS}:${MUTUAL_TLS}" --rm martin/wait
267266
start_test "Start with upstream client certs" "${STD_CMD} \
268267
-e \"PROXY_SERVICE_HOST=https://${MUTUAL_TLS}\" \
269-
-e \"PROXY_SERVICE_PORT=443\" \
268+
-e \"PROXY_SERVICE_PORT=10443\" \
270269
-e \"DNSMASK=TRUE\" \
271270
-e \"USE_UPSTREAM_CLIENT_CERT=TRUE\" \
272271
-v \"${PWD}/client_certs/client.crt:/etc/keys/upstream-client-crt\" \
@@ -284,7 +283,7 @@ ${STD_CMD} -d \
284283
docker run --link "${STANDARD_TLS}:${STANDARD_TLS}" --rm martin/wait
285284
start_test "Start with failing upstream server verification" "${STD_CMD} \
286285
-e \"PROXY_SERVICE_HOST=https://${STANDARD_TLS}\" \
287-
-e \"PROXY_SERVICE_PORT=443\" \
286+
-e \"PROXY_SERVICE_PORT=10443\" \
288287
-e \"DNSMASK=TRUE\" \
289288
-e \"VERIFY_SERVER_CERT=TRUE\" \
290289
-v \"${PWD}/client_certs/ca.crt:/etc/keys/upstream-server-ca\" \
@@ -312,7 +311,7 @@ ${STD_CMD} -d \
312311
docker run --link "${STANDARD_TLS}:${STANDARD_TLS}" --rm martin/wait
313312
start_test "Start with succeeding upstream server verification" "${STD_CMD} \
314313
-e \"PROXY_SERVICE_HOST=https://${STANDARD_TLS}\" \
315-
-e \"PROXY_SERVICE_PORT=443\" \
314+
-e \"PROXY_SERVICE_PORT=10443\" \
316315
-e \"DNSMASK=TRUE\" \
317316
-e \"VERIFY_SERVER_CERT=TRUE\" \
318317
-v \"${PWD}/client_certs/ca.crt:/etc/keys/upstream-server-ca\" \
@@ -375,7 +374,7 @@ grep "Thanks for the big doc" /tmp/upload_test.txt &> /dev/null
375374

376375

377376
start_test "Start with listen for port 80" "${STD_CMD} \
378-
-p 8888:80 \
377+
-p 8888:10080 \
379378
-e \"PROXY_SERVICE_HOST=http://mockserver\" \
380379
-e \"PROXY_SERVICE_PORT=8080\" \
381380
-e \"DNSMASK=TRUE\" \

defaults.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ export SERVER_CERT=${SERVER_CERT:-/etc/keys/crt}
88
export SERVER_KEY=${SERVER_KEY:-/etc/keys/key}
99
export SSL_CIPHERS=${SSL_CIPHERS:-'AES256+EECDH:AES256+EDH:!aNULL'}
1010
export SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1.2'}
11-
export HTTP_LISTEN_PORT=${HTTP_LISTEN_PORT:-80}
12-
export HTTPS_LISTEN_PORT=${HTTPS_LISTEN_PORT:-443}
11+
export HTTP_LISTEN_PORT=${HTTP_LISTEN_PORT:-10080}
12+
export HTTPS_LISTEN_PORT=${HTTPS_LISTEN_PORT:-10443}
1313
export HTTPS_REDIRECT=${HTTPS_REDIRECT:-'TRUE'}
1414
export NO_LOGGING_BODY=${NO_LOGGING_BODY:-'TRUE'}
1515
export NO_LOGGING_RESPONSE=${NO_LOGGING_RESPONSE:-'TRUE'}

go.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,8 @@ done
6464

6565
if [ "${NAME_RESOLVER}" == "" ]; then
6666
if [ "${DNSMASK}" == "TRUE" ]; then
67-
dnsmasq
68-
export NAME_RESOLVER=127.0.0.1
67+
dnsmasq -p 5462
68+
export NAME_RESOLVER=127.0.0.1:5462
6969
else
7070
export NAME_RESOLVER=$(grep 'nameserver' /etc/resolv.conf | head -n1 | cut -d' ' -f2)
7171
fi

0 commit comments

Comments
 (0)