Running API proxy as nginx user (#5281)

Running API proxy as nginx user Additionally: - removed extra port opened. It was useless since it is possible to open a port through deployment. - Sped up images building by using pre-built image images builder. Tested on amd64 and arm32
Azure · Jul 28, 2021 · 05c9f78 · 05c9f78
1 parent d2befae
commit 05c9f78
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 12 deletions.
diff --git a/edge-modules/api-proxy-module/build.sh b/edge-modules/api-proxy-module/build.sh
@@ -88,7 +88,7 @@ echo ${PROJECT_ROOT}
 
 if [[ "$ARCH" == "amd64" ]]; then
 set +e
-../../scripts/linux/cross-platform-rust-build.sh --os alpine --arch $ARCH --build-path edge-modules/api-proxy-module
+docker run --rm -it -v "${PROJECT_ROOT}":/home/rust/src ekidd/rust-musl-builder cargo build --release --manifest-path /home/rust/src/edge-modules/api-proxy-module/Cargo.toml
 set -e
 
 cp -r ./templates/ ./docker/linux/amd64

diff --git a/edge-modules/api-proxy-module/docker/linux/amd64/Dockerfile b/edge-modules/api-proxy-module/docker/linux/amd64/Dockerfile
@@ -5,14 +5,27 @@
 
 FROM alpine:3.13.1
 WORKDIR /app
+
+RUN adduser -Ds /bin/sh nginx 
+RUN chown -R nginx:nginx /app   
+
 COPY ./docker/linux/amd64/api-proxy-module .
 COPY ./docker/linux/amd64/templates .
+
 RUN	apk update && \
     apk add nginx && \
 	mkdir /run/nginx
 
-RUN adduser -Ds /bin/sh moduleuser 
-USER moduleuser    
+RUN chown -R nginx:nginx /app && \
+    touch /var/cache/nginx && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx/nginx.pid 
+
+
+USER nginx    
 
 #expose ports
 EXPOSE 443/tcp	
@@ -21,5 +34,6 @@ EXPOSE 80/tcp
 EXPOSE 5000/tcp
 #used by blob storage
 EXPOSE 11002/tcp
-
+#default
+EXPOSE 8000/tcp
 ENTRYPOINT ["/app/api-proxy-module"]
diff --git a/edge-modules/api-proxy-module/docker/linux/arm32v7/Dockerfile b/edge-modules/api-proxy-module/docker/linux/arm32v7/Dockerfile
@@ -2,20 +2,29 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
 #-------------------------------------------------------------------------------------------------------------
-
 FROM arm32v7/nginx:1.19.9
 WORKDIR /app
+
+RUN chown -R nginx:nginx /app && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx.pid 
+
 COPY ./docker/linux/arm32v7/api-proxy-module .
 COPY ./docker/linux/arm32v7/templates .
 
+USER nginx  
+
 #expose ports
 EXPOSE 443/tcp	
 EXPOSE 80/tcp
 #used by registry
 EXPOSE 5000/tcp
 #used by blob storage
 EXPOSE 11002/tcp
-#use for custom defining ports
-EXPOSE 7000-8000/tcp
+#default
+EXPOSE 8000/tcp
 ENTRYPOINT ["/app/api-proxy-module"]
 
diff --git a/edge-modules/api-proxy-module/docker/linux/arm64v8/Dockerfile b/edge-modules/api-proxy-module/docker/linux/arm64v8/Dockerfile
@@ -4,17 +4,27 @@
 #-------------------------------------------------------------------------------------------------------------
 FROM arm64v8/nginx:1.19.9
 WORKDIR /app
+
+RUN chown -R nginx:nginx /app && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx.pid 
+
 COPY ./docker/linux/arm64v8/api-proxy-module .
 COPY ./docker/linux/arm64v8/templates .
 
+USER nginx  
+
 #expose ports
 EXPOSE 443/tcp	
 EXPOSE 80/tcp
 #used by registry
 EXPOSE 5000/tcp
 #used by blob storage
 EXPOSE 11002/tcp
-#use for custom defining ports
-EXPOSE 7000-8000/tcp
+#default
+EXPOSE 8000/tcp
 ENTRYPOINT ["/app/api-proxy-module"]
 
diff --git a/edge-modules/api-proxy-module/readme.md b/edge-modules/api-proxy-module/readme.md
@@ -111,7 +111,7 @@ For easiness of use, the API proxy module comes with a default configuration tha
 
 | Config variable  | comments |
 | ------------- |  ------------- |
-| NGINX_DEFAULT_PORT  | Changes the port Nginx listens on. If you update this environment variable, make sure the port you select is also exposed in the module dockerfile and the port binding. Default is 443.  |
+| NGINX_DEFAULT_PORT  | Changes the port Nginx listens on. If you update this environment variable, make sure the port you select is also exposed in the module dockerfile and the port binding. Default is 8000.  |
 | NGINX_DEFAULT_TLS | Changes the ssl protocols nginx support. See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols for more details. |
 | NGINX_DEFAULT_CIPHERS | Changes the ciphers nginx support. See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers for more details. |
 | DOCKER_REQUEST_ROUTE_ADDRESS | Address to route docker requests. By default it points to the parent.  |

diff --git a/edge-modules/api-proxy-module/src/monitors/config_parser.rs b/edge-modules/api-proxy-module/src/monitors/config_parser.rs
@@ -6,7 +6,7 @@ use regex::{Captures, Regex};
 
 use crate::token_service::token_server;
 
-const PROXY_CONFIG_DEFAULT_VALUES: &[(&str, &str)] = &[("NGINX_DEFAULT_PORT", "443")];
+const PROXY_CONFIG_DEFAULT_VALUES: &[(&str, &str)] = &[("NGINX_DEFAULT_PORT", "8000")];
 
 pub struct ConfigParser {
     default_values: HashMap<String, String>,
@@ -349,7 +349,7 @@ mod tests {
             .unwrap();
 
         //Check the value is still equal to dummy value
-        assert_eq!("443", config);
+        assert_eq!("8000", config);
 
         // *** Environment variable
         std::env::set_var("NGINX_DEFAULT_PORT", "Dummy value");