paulmataruso/patchmon.net
1
0
Fork 0
mirror of https://github.com/9technologygroup/patchmon.net.git synced 2025-11-04 22:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: maintain nginx-unprivileged security while adding canvas runtime libraries via multi-stage build

Browse Source
This commit is contained in:
Muhammad Ibrahim
2025-10-28 18:35:03 +00:00
parent 43fb54a683
commit 93760d03e1
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docker/frontend.Dockerfile
View File

@@ -36,12 +36,24 @@ COPY frontend/ ./
RUN npm run build RUN npm run build
# Production stage - use standard nginx to allow apk install # Production stage - use temporary stage to install packages as root, then copy to unprivileged
FROM nginx:alpine FROM nginx:alpine AS runtime-builder
# Install runtime dependencies for canvas # Install runtime dependencies for canvas
RUN apk add --no-cache cairo pango jpeg libpng giflib RUN apk add --no-cache cairo pango jpeg libpng giflib
# Final production stage - unprivileged
FROM nginxinc/nginx-unprivileged:alpine
# Copy runtime libraries from runtime-builder
COPY --from=runtime-builder /usr/lib/libcairo.so.2 /usr/lib/
COPY --from=runtime-builder /usr/lib/libpango-1.0.so.0 /usr/lib/
COPY --from=runtime-builder /usr/lib/libpangocairo-1.0.so.0 /usr/lib/
COPY --from=runtime-builder /usr/lib/libpangoft2-1.0.so.0 /usr/lib/
COPY --from=runtime-builder /usr/lib/libpng16.so.16 /usr/lib/
COPY --from=runtime-builder /usr/lib/libgif.so.7 /usr/lib/
COPY --from=runtime-builder /usr/lib/libjpeg.so.8 /usr/lib/
ENV BACKEND_HOST=backend \ ENV BACKEND_HOST=backend \
BACKEND_PORT=3001 BACKEND_PORT=3001