Run NGINX 1.25.2 Distroless without USER=Root
PROBLEM: I am running an nginx frontend web server and a .NET Core 7 backend. The nginx 1.25.2 distroless image in IronBank is very secure but does not allow me to use the image as anything other than USER=Root.
REPRODUCIBLE DATA: #user nginx worker_processes 1;
#error_log /usr/share/nginx/logs/error.log; #pid /usr/share/nginx/logs/nginx.pid;
events { worker_connections 1024; }
http { default_type application/octet-stream; include /etc/nginx/mime.types;
log_format main '$remote_addr - remote_user [
time_local] "$request" '
'$status body_bytes_sent "
http_referer" '
'"http_user_agent" "
http_x_forwarded_for"';
access_log /var/log/nginx/access.log;
sendfile on; #tcp_nopush on;
#keepalive_timeout 0; keepalive_timeout 65;
#Remediate WAVS Scan - Version Disclosure server_tokens off;
proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600;
gzip on;
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name;
upstream ietmx-backend-server { server ietmx-backend-server:5003; }
server { listen 8080; server_name localhost;
client_body_buffer_size 32k;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
#Server Harden - Clickjacking Attack --> Replaced DENY with "SAMEORIGIN"
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
#this was added to solve has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
#Server Harden - Disable unwanted HTTP methods
if ($request_method !~ ^(GET|POST|PUT|DELETE)$ )
{
return 405;
}
#Server Harden - X-XSS Protection
add_header X-XSS-Protection "1; mode=block";
##################################
# END https://cipherli.st/ BLOCK #
##################################
location / {
root /usr/share/nginx/html;
index index.html;
}
location /api/ {
proxy_set_header X-NginX-Proxy true;
proxy_pass http://ietmx-backend-server;
proxy_redirect off;
#remove all cache
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_cache off;
# Headers for client browser NOCACHE + CORS origin filter
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
location /common-api/ {
proxy_set_header X-NginX-Proxy true;
proxy_pass http://ietmx-backend-server;
proxy_redirect off;
#remove all cache
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_cache off;
# Headers for client browser NOCACHE + CORS origin filter
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
location /httproot/ {
proxy_set_header X-NginX-Proxy true;
proxy_pass http://ietmx-backend-server;
proxy_redirect off;
#remove all cache
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_cache off;
# Headers for client browser NOCACHE + CORS origin filter
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
location /health {
access_log off;
return 200 "IETMX Maintenance server is running!!!\n";
add_header Content-Type text/plain;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
} }
FROM harbor.global.lmco.com/ext.registry1.dso.mil/ironbank/opensource/nginx/nginx:1.25.2-distroless
ENV PORT=8080
COPY content/client/ /usr/share/nginx/html COPY conf/nginx.conf /etc/nginx/.base_nginx.conf COPY conf/nginx.conf /etc/nginx/nginx.conf
USER root
EXPOSE $PORT
ENTRYPOINT ["nginx", "-g", "daemon off;"]
WISH TO THE IRONBANK GENIE: Suggestions on how to change the configuration or Dockerfile to make this super amazing nginx image run as non-root user.