Allow st2web container to be runable as Non-Root #66
Conversation
jk464
force-pushed
the
feature/non-root-st2web
branch
from
75da552
to
9e9b36c
Compare
jk464
force-pushed
the
feature/non-root-st2web
branch
from
9e9b36c
to
4d28a30
Compare
|
@cognifloyd I've hopefully actioned all your items - also added in some updates to the We probably want to pin the |
st2web/files/st2.conf-https.patch
Outdated
| - proxy_pass http://127.0.0.1:9100/; | ||
| + proxy_pass ${ST2_AUTH_URL}; | ||
| proxy_read_timeout 90; | ||
| proxy_connect_timeout 90; | ||
| proxy_redirect off; | ||
| + proxy_ssl_verify off; |
There was a problem hiding this comment.
What is the purpose of disabling this? disabling SSL verification is a last-resort--something to do when all other solutions (like regenerating the cert) have failed to fix an issue.
st2web/files/st2.conf-https.patch
Outdated
| } | ||
| -} | ||
| +} | ||
| \ No newline at end of file |
I don't like to manually pin versions most of the time because then someone has to manage that pin. Most of the time (in my experience at least) pins are not well documented, so no one dares to update it until there is a CVE or some other bug or missing feature that forces an update. So, I hesitate to add pinning here without a good plan for how we'll manage that. |
jk464
force-pushed
the
feature/non-root-st2web
branch
from
ef063d6
to
1dcab96
Compare
|
@cognifloyd that should be all the issues resolved |
Co-authored-by: Jacob Floyd <cognifloyd@gmail.com>
jk464
force-pushed
the
feature/non-root-st2web
branch
from
1dcab96
to
754423c
Compare
It is good security practice to run containers without root and minimal privileges.
However, the st2web container attempts to expose on port 80 and 443, which are both <1000 privileged ports.
This PR changes the exposed ports to 8080 / 8443, non-privileged ports.
It also edits permissions on NGINX files, to allow nginx to run as the
nginxuser.