From 1a6c16d8ea7ec00a58dcf820f724130e43b80f56 Mon Sep 17 00:00:00 2001 From: Jonas Janz <5434875+PixelJonas@users.noreply.github.com> Date: Wed, 14 Sep 2022 04:50:10 +0200 Subject: [PATCH] breaking(setup): use non-root image for immich-proxy (#651) * feat(nginx): use non-root container for immich-proxy Signed-off-by: PixelJonas <5434875+PixelJonas@users.noreply.github.com> * re-add test env * feat(nginx): add correct port for staging * add the new port to the default docker-compose.yml Signed-off-by: PixelJonas <5434875+PixelJonas@users.noreply.github.com> --- docker/.env.test | 2 +- docker/docker-compose.dev.yml | 3 +- docker/docker-compose.staging.yml | 3 +- docker/docker-compose.yml | 2 +- nginx/Dockerfile | 7 +- nginx/nginx.conf | 138 ++++++++++++++++-------------- 6 files changed, 83 insertions(+), 72 deletions(-) diff --git a/docker/.env.test b/docker/.env.test index 93eb73d280..582743d820 100644 --- a/docker/.env.test +++ b/docker/.env.test @@ -19,4 +19,4 @@ ENABLE_MAPBOX=false # WEB MAPBOX_KEY= -VITE_SERVER_ENDPOINT=http://localhost:2283/api \ No newline at end of file +VITE_SERVER_ENDPOINT=http://localhost:2283/api diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml index ad0261270e..9e68e8e4d6 100644 --- a/docker/docker-compose.dev.yml +++ b/docker/docker-compose.dev.yml @@ -102,8 +102,7 @@ services: context: ../nginx dockerfile: Dockerfile ports: - - 2283:80 - - 2284:443 + - 2283:8080 logging: driver: none depends_on: diff --git a/docker/docker-compose.staging.yml b/docker/docker-compose.staging.yml index 5b4780b702..1d45f7e44e 100644 --- a/docker/docker-compose.staging.yml +++ b/docker/docker-compose.staging.yml @@ -72,8 +72,7 @@ services: container_name: immich_proxy image: altran1502/immich-proxy:staging ports: - - 2283:80 - - 2284:443 + - 2283:8080 logging: driver: none depends_on: diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 725331dcfc..abbf86069c 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -74,7 +74,7 @@ services: container_name: immich_proxy image: altran1502/immich-proxy:release ports: - - 2283:80 + - 2283:8080 logging: driver: none depends_on: diff --git a/nginx/Dockerfile b/nginx/Dockerfile index fdc2f49a85..46dc313dbb 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,6 +1,5 @@ -FROM nginx:latest +FROM registry.access.redhat.com/ubi9/nginx-120:latest -COPY nginx.conf /etc/nginx/conf.d/default.conf +COPY nginx.conf "${NGINX_CONF_PATH}" -EXPOSE 80 -EXPOSE 443 \ No newline at end of file +CMD nginx -g "daemon off;" \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 0c026f461d..c45fee8dca 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,73 +1,87 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; + +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; } -# events { -# worker_connections 1000; -# } - -server { - - gzip on; - gzip_min_length 1000; - gunzip on; - - client_max_body_size 50000M; - - listen 80; - access_log off; - - location /api { - - # Compression - gzip_static on; - gzip_min_length 1000; - gzip_comp_level 2; - - proxy_buffering off; - proxy_buffer_size 16k; - proxy_busy_buffers_size 24k; - proxy_buffers 64 4k; - proxy_force_ranges on; - - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - - rewrite /api/(.*) /$1 break; - - proxy_pass http://immich-server:3001; +http { + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; } - location / { + # events { + # worker_connections 1000; + # } - # Compression - gzip_static on; + server { + + gzip on; gzip_min_length 1000; - gzip_comp_level 2; + gunzip on; - proxy_buffering off; - proxy_buffer_size 16k; - proxy_busy_buffers_size 24k; - proxy_buffers 64 4k; - proxy_force_ranges on; + client_max_body_size 50000M; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; + listen 8080; + access_log off; - proxy_pass http://immich-web:3000; + location /api { + + # Compression + gzip_static on; + gzip_min_length 1000; + gzip_comp_level 2; + + proxy_buffering off; + proxy_buffer_size 16k; + proxy_busy_buffers_size 24k; + proxy_buffers 64 4k; + proxy_force_ranges on; + + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + + rewrite /api/(.*) /$1 break; + + proxy_pass http://immich-server:3001; + } + + location / { + + # Compression + gzip_static on; + gzip_min_length 1000; + gzip_comp_level 2; + + proxy_buffering off; + proxy_buffer_size 16k; + proxy_busy_buffers_size 24k; + proxy_buffers 64 4k; + proxy_force_ranges on; + + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + + proxy_pass http://immich-web:3000; + } } -} +} \ No newline at end of file