[ADF-4158] improved Docker image security (#4371)

* improved Docker image security * remove layer duplication * update scripts
2025-07-24 17:32:15 +00:00 · 2019-03-04 11:18:32 +00:00
parent bbf1f20439
commit d6f856f1c5
4 changed files with 105 additions and 4 deletions
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+if [ -n "${APP_CONFIG_AUTH_TYPE}" ];then
+  sed -e "s/\"authType\": \".*\"/\"authType\": \"${APP_CONFIG_AUTH_TYPE}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_HOST}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_HOST//\//$replace}
+  sed -e "s/\"host\": \".*\"/\"host\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_CLIENTID}" ];then
+  sed -e "s/\"clientId\": \".*\"/\"clientId\": \"${APP_CONFIG_OAUTH2_CLIENTID}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}" ];then
+ sed "/implicitFlow/s/true/${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}/" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_SILENT_LOGIN}" ];then
+ sed "/silentLogin/s/true/${APP_CONFIG_OAUTH2_SILENT_LOGIN}/" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI//\//$replace}
+  sed -e "s/\"redirectSilentIframeUri\": \".*\"/\"redirectSilentIframeUri\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGIN}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGIN//\//$replace}
+  sed -e "s/\"redirectUri\": \".*\"/\"redirectUri\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT}" ];then
+  replace="\/"
+  encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT//\//$replace}
+  sed -e "s/\"redirectUriLogout\": \".*\"/\"redirectUriLogout\": \"${encoded}\"/g" \
+    -i ./app.config.json
+fi
+
+if [[ $ACSURL ]]; then
+  sed -i s%{protocol}//{hostname}{:port}%"$ACSURL"%g /usr/share/nginx/html/app.config.json
+fi
+
+if [ -n "${APP_BASE_SHARE_URL}" ];then
+  sed -e "s/\"baseShareUrl\": \".*\"/\"baseShareUrl\": \"${APP_BASE_SHARE_URL}\"/g" \
+    -i ./app.config.json
+fi
+
+nginx -g "daemon off;"
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -0,0 +1,35 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen 8080;
+        server_name  localhost;
+
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        include /etc/nginx/mime.types;
+
+        gzip on;
+        gzip_min_length 1000;
+        gzip_proxied expired no-cache no-store private auth;
+        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location ~ \.html$ {
+            add_header Cache-Control "private, no-cache, no-store, must-revalidate";
+            add_header Expires "Sat, 01 Jan 2000 00:00:00 GMT";
+            add_header Pragma no-cache;
+        }
+
+        location ~ ^/[a-zA-Z0-9_-]+/ {
+            try_files $uri $uri/ /index.html;
+        }
+    }
+}