Use nginx:stable, add nginx config, non-root

Switch the runtime stage to nginx:stable (replacing alpine), remove the default static assets, and copy the built app into /usr/share/nginx/html. Add a custom nginx main config (nginx.main.conf → /etc/nginx/nginx.conf) and keep the default site config. Run the container as the non-root nginx user and expose port 80. These changes ensure the image serves the intended build, uses a stable nginx variant, and improves container security.
2026-05-18 23:50:17 +00:00 · 2026-04-13 00:54:51 +01:00
parent d19a10c08b
commit 9066e31c55
2 changed files with 36 additions and 2 deletions
@@ -9,14 +9,21 @@ ENV NODE_ENV=production
 RUN npm run build

 # Step 2: Serve stage
-FROM nginx:alpine
+FROM nginx:stable
+
+# Remove default nginx static assets
+RUN rm -rf /usr/share/nginx/html/*

 # Copy built files from the previous stage
 COPY --from=build /app/dist /usr/share/nginx/html

-# Add a custom Nginx configuration
+# Copy secure nginx configs
+COPY nginx.main.conf /etc/nginx/nginx.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf

+# Use non-root user for security
+USER nginx
+
 # Expose port 80
 EXPOSE 80

@@ -0,0 +1,27 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+error_log /tmp/error.log warn;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    access_log /tmp/access.log;
+
+    sendfile on;
+    keepalive_timeout 65;
+    server_tokens off;
+
+    # Redefine temp paths to writable tmpfs locations
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
+    include /etc/nginx/conf.d/*.conf;
+}