From 9d393224da611ee43396b2697061c7eb9564b93d Mon Sep 17 00:00:00 2001 From: Joseph Flinn Date: Fri, 28 Jan 2022 12:01:47 -0800 Subject: [PATCH] switching to an nginx image instead of a bitwarden/server one --- Dockerfile => docker/Dockerfile | 12 ++- entrypoint.sh => docker/entrypoint.sh | 3 +- docker/mime.types | 138 ++++++++++++++++++++++++ docker/nginx-web.conf | 25 +++++ docker/nginx.conf | 149 ++++++++++++++++++++++++++ docker/security-headers.conf | 3 + 6 files changed, 324 insertions(+), 6 deletions(-) rename Dockerfile => docker/Dockerfile (58%) rename entrypoint.sh => docker/entrypoint.sh (84%) create mode 100644 docker/mime.types create mode 100644 docker/nginx-web.conf create mode 100644 docker/nginx.conf create mode 100644 docker/security-headers.conf diff --git a/Dockerfile b/docker/Dockerfile similarity index 58% rename from Dockerfile rename to docker/Dockerfile index 15b1508a..0b54c788 100644 --- a/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM bitwarden/server:dev +FROM nginx:stable LABEL com.bitwarden.product="bitwarden" @@ -8,13 +8,17 @@ RUN apt-get update \ curl \ && rm -rf /var/lib/apt/lists/* -ENV ASPNETCORE_URLS http://+:5000 +COPY nginx.conf /etc/nginx +COPY nginx-web.conf /etc/nginx +COPY mime.types /etc/nginx +COPY security-headers.conf /etc/nginx + WORKDIR /app -EXPOSE 5000 +EXPOSE 80 COPY ./build . COPY entrypoint.sh / RUN chmod +x /entrypoint.sh -HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1 +HEALTHCHECK CMD curl -f http://localhost:80 || exit 1 ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/docker/entrypoint.sh similarity index 84% rename from entrypoint.sh rename to docker/entrypoint.sh index 16d1c78f..66aa5a43 100644 --- a/entrypoint.sh +++ b/docker/entrypoint.sh @@ -34,5 +34,4 @@ cp /etc/bitwarden/web/app-id.json /app/app-id.json chown -R $USERNAME:$GROUPNAME /app chown -R $USERNAME:$GROUPNAME /bitwarden_server -exec gosu $USERNAME:$GROUPNAME dotnet /bitwarden_server/Server.dll \ - /contentRoot=/app /webRoot=. /serveUnknown=false /webVault=true +exec nginx -g daemon off; diff --git a/docker/mime.types b/docker/mime.types new file mode 100644 index 00000000..7c3b1e73 --- /dev/null +++ b/docker/mime.types @@ -0,0 +1,138 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + application/vnd.geo+json geojson; + application/xml rdf xml; + + + # JavaScript + + # Normalize to standard type. + # https://tools.ietf.org/html/rfc4329#section-7.2 + application/javascript js; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/jxr jxr hdp wdp; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + application/font-woff woff; + application/font-woff2 woff2; + application/vnd.ms-fontobject eot; + + # Browsers usually ignore the font media types and simply sniff + # the bytes to figure out the font type. + # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + # + # However, Blink and WebKit based browsers will show a warning + # in the console if the following font types are served with any + # other media types. + + application/x-font-ttf ttc ttf; + font/opentype otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/css css; + text/csv csv; + text/html htm html shtml; + text/markdown md; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/docker/nginx-web.conf b/docker/nginx-web.conf new file mode 100644 index 00000000..b3d18071 --- /dev/null +++ b/docker/nginx-web.conf @@ -0,0 +1,25 @@ +####################################################################### +# WARNING: This file is generated. Do not make changes to this file. # +# They will be overwritten on update. You can manage various settings # +# used in this file from the ./bwdata/config.yml file for your # +# installation. # +####################################################################### + +server { + listen 8080 default_server; + listen [::]:8080 default_server; + include /etc/nginx/security-headers.conf; + + location / { + root /app; + index index.html index.htm; + include /etc/nginx/security-headers.conf; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Robots-Tag "noindex, nofollow"; + } + + location /alive { + return 200 'alive'; + add_header Content-Type text/plain; + } +} diff --git a/docker/nginx.conf b/docker/nginx.conf new file mode 100644 index 00000000..ac7e5c3f --- /dev/null +++ b/docker/nginx.conf @@ -0,0 +1,149 @@ +# nginx Configuration File +# http://wiki.nginx.org/Configuration + +# Run as a less privileged user for security reasons. +# user www www; + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +worker_processes auto; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 8000; +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx/nginx.pid; + +http { + include proxy.conf; + + # Hide nginx version information. + server_tokens off; + + # Define the MIME types for files. + include mime.types; + default_type application/octet-stream; + + # Update charset_types to match updated mime.types. + # text/html is always included by charset module. + # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml + charset_types + text/css + text/plain + text/vnd.wap.wml + application/javascript + application/json + application/rss+xml + application/xml; + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + access_log /var/log/nginx/access.log main; + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + + # Compression + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed by HttpGzipModule + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + # gzip_static on; + + # Content type for FIDO U2F facets + map $uri $fido_content_type { + default "application/fido.trusted-apps+json"; + } + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. + include conf.d/*.conf; +} diff --git a/docker/security-headers.conf b/docker/security-headers.conf new file mode 100644 index 00000000..bda397a1 --- /dev/null +++ b/docker/security-headers.conf @@ -0,0 +1,3 @@ +add_header Referrer-Policy same-origin; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block";