[ACA-2229] run aca nginx as non-root (#979)

* run aca nginx as non-root

* remove edit permissions from html folder

Dockerfile

@@ -14,13 +14,26 @@ FROM nginx:stable-alpine
 LABEL version="1.7"
 LABEL maintainer="Denys Vuika <denys.vuika@alfresco.com>"
 
-COPY nginx.conf /etc/nginx/nginx.conf
+ARG GROUPNAME=Alfresco
+ARG GROUPID=1000
+ARG USERNAME=aca
+ARG USERID=33009
 
-COPY ./docker-entrypoint.sh /
+COPY nginx.conf /etc/nginx/nginx.conf
-RUN chmod +x /docker-entrypoint.sh
+COPY ./docker/entrypoint.sh /
 
 WORKDIR /usr/share/nginx/html
 COPY dist/app/ .
 COPY --from=builder /usr/src/alfresco/licenses ./licenses
 
-ENTRYPOINT [ "/docker-entrypoint.sh" ]
+RUN addgroup -g ${GROUPID} ${GROUPNAME} && \
+  adduser -S -u ${USERID} -G ${GROUPNAME} -s "/bin/bash" ${USERNAME} && \
+  chown -R ${USERNAME}:${GROUPNAME} /var/cache/nginx && \
+  touch /var/run/nginx.pid && \
+  chown -R ${USERNAME}:${GROUPNAME} /var/run/nginx.pid && \
+  chmod +x /entrypoint.sh && \
+  chown -R ${USERNAME}:${GROUPNAME} /entrypoint.sh
+
+EXPOSE 8080
+USER ${USERNAME}
+ENTRYPOINT [ "/entrypoint.sh" ]

docker-compose.yml

@@ -96,7 +96,7 @@ services:
     networks:
       - internal
     ports:
-      - 4001:80
+      - 4001:8080
     # volumes:
     #     - ./app.config.json:/usr/share/nginx/html/app.config.json
     #     - ./nginx.conf:/etc/nginx/conf.d/default.conf

docker/proxy/nginx.conf

@@ -16,7 +16,7 @@ server {
     proxy_pass_header Set-Cookie;
 
     location / {
-      proxy_pass http://content-app;
+      proxy_pass http://content-app:8080;
     }
 
     location /alfresco/ {

nginx.conf

@@ -6,7 +6,7 @@ events {
 
 http {
   server {
-    listen 80;
+    listen 8080;
     server_name  localhost;
 
     root   /usr/share/nginx/html;