More work on the decoupling. It is not currently in a working state

.dockerignore

@@ -1,3 +1,4 @@
 *
+!docker/*
 !build/*
 !entrypoint.sh

Dockerfile

@@ -1,4 +1,4 @@
-FROM bitwarden/server:dev
+FROM nginx:stable
 
 LABEL com.bitwarden.product="bitwarden"
 
@@ -8,13 +8,29 @@ RUN apt-get update \
         curl \
 && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+COPY docker/nginx.conf /etc/nginx
+COPY docker/nginx-web.conf /etc/nginx
+COPY docker/mime.types /etc/nginx
+COPY docker/security-headers.conf /etc/nginx
+
 WORKDIR /app
-EXPOSE 5000
 COPY ./build .
-COPY entrypoint.sh /
+COPY docker/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
-HEALTHCHECK CMD curl -f http://localhost:5000 || exit 1
+RUN bash /entrypoint.sh
+RUN chown -R bitwarden:bitwarden /app && chmod -R 755 /app && \
+    chown -R bitwarden:bitwarden /var/cache/nginx && \
+    chown -R bitwarden:bitwarden /var/log/nginx && \
+    chown -R bitwarden:bitwarden /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+    chown -R bitwarden:bitwarden /var/run/nginx.pid
 
-ENTRYPOINT ["/entrypoint.sh"]
+USER bitwarden
+
+EXPOSE 8080
+HEALTHCHECK CMD curl -f http://localhost:8080 || exit 1
+
+#ENTRYPOINT ["/entrypoint.sh"]
+#CMD ["tail", "-f", "/dev/null"]
+CMD nginx -g 'daemon off;'

docker/entrypoint.sh

@@ -32,7 +32,6 @@ mkhomedir_helper $USERNAME
 chown -R $USERNAME:$GROUPNAME /etc/bitwarden
 cp /etc/bitwarden/web/app-id.json /app/app-id.json
 chown -R $USERNAME:$GROUPNAME /app
-chown -R $USERNAME:$GROUPNAME /bitwarden_server
+#chown -R $USERNAME:$GROUPNAME /bitwarden_server
 
-exec gosu $USERNAME:$GROUPNAME dotnet /bitwarden_server/Server.dll \
-    /contentRoot=/app /webRoot=. /serveUnknown=false /webVault=true
+#exec nginx -g 'daemon off;'

docker/mime.types

@@ -0,0 +1,138 @@
+types {
+
+  # Data interchange
+
+    application/atom+xml                  atom;
+    application/json                      json map topojson;
+    application/ld+json                   jsonld;
+    application/rss+xml                   rss;
+    application/vnd.geo+json              geojson;
+    application/xml                       rdf xml;
+
+
+  # JavaScript
+
+    # Normalize to standard type.
+    # https://tools.ietf.org/html/rfc4329#section-7.2
+    application/javascript                js;
+
+
+  # Manifest files
+
+    application/manifest+json             webmanifest;
+    application/x-web-app-manifest+json   webapp;
+    text/cache-manifest                   appcache;
+
+
+  # Media files
+
+    audio/midi                            mid midi kar;
+    audio/mp4                             aac f4a f4b m4a;
+    audio/mpeg                            mp3;
+    audio/ogg                             oga ogg opus;
+    audio/x-realaudio                     ra;
+    audio/x-wav                           wav;
+    image/bmp                             bmp;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    image/jxr                             jxr hdp wdp;
+    image/png                             png;
+    image/svg+xml                         svg svgz;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/webp                            webp;
+    image/x-jng                           jng;
+    video/3gpp                            3gp 3gpp;
+    video/mp4                             f4p f4v m4v mp4;
+    video/mpeg                            mpeg mpg;
+    video/ogg                             ogv;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asf asx;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+
+    # Serving `.ico` image files with a different media type
+    # prevents Internet Explorer from displaying then as images:
+    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
+
+    image/x-icon                          cur ico;
+
+
+  # Microsoft Office
+
+    application/msword                                                         doc;
+    application/vnd.ms-excel                                                   xls;
+    application/vnd.ms-powerpoint                                              ppt;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+
+  # Web fonts
+
+    application/font-woff                 woff;
+    application/font-woff2                woff2;
+    application/vnd.ms-fontobject         eot;
+
+    # Browsers usually ignore the font media types and simply sniff
+    # the bytes to figure out the font type.
+    # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
+    #
+    # However, Blink and WebKit based browsers will show a warning
+    # in the console if the following font types are served with any
+    # other media types.
+
+    application/x-font-ttf                ttc ttf;
+    font/opentype                         otf;
+
+
+  # Other
+
+    application/java-archive              ear jar war;
+    application/mac-binhex40              hqx;
+    application/octet-stream              bin deb dll dmg exe img iso msi msm msp safariextz;
+    application/pdf                       pdf;
+    application/postscript                ai eps ps;
+    application/rtf                       rtf;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/vnd.wap.wmlc              wmlc;
+    application/x-7z-compressed           7z;
+    application/x-bb-appworld             bbaw;
+    application/x-bittorrent              torrent;
+    application/x-chrome-extension        crx;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-opera-extension         oex;
+    application/x-perl                    pl pm;
+    application/x-pilot                   pdb prc;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            crt der pem;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xslt+xml                  xsl;
+    application/zip                       zip;
+    text/css                              css;
+    text/csv                              csv;
+    text/html                             htm html shtml;
+    text/markdown                         md;
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vcard                            vcard vcf;
+    text/vnd.rim.location.xloc            xloc;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/vtt                              vtt;
+    text/x-component                      htc;
+
+}

docker/nginx-web.conf

@@ -0,0 +1,25 @@
+#######################################################################
+# WARNING: This file is generated. Do not make changes to this file.  #
+# They will be overwritten on update. You can manage various settings #
+# used in this file from the ./bwdata/config.yml file for your        #
+# installation.                                                       #
+#######################################################################
+
+server {
+  listen 8080 default_server;
+  listen [::]:8080 default_server;
+  include /etc/nginx/security-headers.conf;
+
+  location / {
+    root /app;
+    index index.html index.htm;
+    include /etc/nginx/security-headers.conf;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Robots-Tag "noindex, nofollow";
+  }
+
+  location /alive {
+    return 200 'alive';
+    add_header Content-Type text/plain;
+  }
+}

docker/nginx.conf

@@ -0,0 +1,147 @@
+# nginx Configuration File
+# http://wiki.nginx.org/Configuration
+
+# Run as a less privileged user for security reasons.
+# user www www;
+
+# How many worker threads to run;
+# "auto" sets it to the number of CPU cores available in the system, and
+# offers the best performance. Don't set it higher than the number of CPU
+# cores if changing this parameter.
+
+# The maximum number of connections for Nginx is calculated by:
+# max_clients = worker_processes * worker_connections
+worker_processes auto;
+
+# Maximum open file descriptors per process;
+# should be > worker_connections.
+worker_rlimit_nofile 8192;
+
+events {
+  # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
+  # and this is probably the point at which you hire people who are smarter than
+  # you, as this is *a lot* of requests.
+  worker_connections 8000;
+}
+
+# Default error log file
+# (this is only used when you don't override error_log on a server{} level)
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+http {
+  # Hide nginx version information.
+  server_tokens off;
+
+  # Define the MIME types for files.
+  include       mime.types;
+  default_type  application/octet-stream;
+
+  # Update charset_types to match updated mime.types.
+  # text/html is always included by charset module.
+  # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
+  charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    application/javascript
+    application/json
+    application/rss+xml
+    application/xml;
+
+  # Format to use in log files
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  # Default log file
+  # (this is only used when you don't override access_log on a server{} level)
+  access_log /var/log/nginx/access.log main;
+
+  # How long to allow each connection to stay idle; longer values are better
+  # for each individual client, particularly for SSL, but means that worker
+  # connections are tied up longer. (Default: 65)
+  keepalive_timeout 20;
+
+  # Speed up file transfers by using sendfile() to copy directly
+  # between descriptors rather than using read()/write().
+  # For performance reasons, on FreeBSD systems w/ ZFS 
+  # this option should be disabled as ZFS's ARC caches
+  # frequently used files in RAM by default.
+  sendfile        on;
+
+  # Tell Nginx not to send out partial frames; this increases throughput
+  # since TCP frames are filled up before being sent out. (adds TCP_CORK)
+  tcp_nopush      on;
+
+
+  # Compression
+
+  # Enable Gzip compressed.
+  gzip on;
+
+  # Compression level (1-9).
+  # 5 is a perfect compromise between size and cpu usage, offering about
+  # 75% reduction for most ascii files (almost identical to level 9).
+  gzip_comp_level    5;
+
+  # Don't compress anything that's already small and unlikely to shrink much
+  # if at all (the default is 20 bytes, which is bad as that usually leads to
+  # larger files after gzipping).
+  gzip_min_length    256;
+
+  # Compress data even for clients that are connecting to us via proxies,
+  # identified by the "Via" header (required for CloudFront).
+  gzip_proxied       any;
+
+  # Tell proxies to cache both the gzipped and regular version of a resource
+  # whenever the client's Accept-Encoding capabilities header varies;
+  # Avoids the issue where a non-gzip capable client (which is extremely rare
+  # today) would display gibberish if their proxy gave them the gzipped version.
+  gzip_vary          on;
+
+  # Compress all output labeled with one of the following MIME-types.
+  gzip_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/ld+json
+    application/manifest+json
+    application/rss+xml
+    application/vnd.geo+json
+    application/vnd.ms-fontobject
+    application/x-font-ttf
+    application/x-web-app-manifest+json
+    application/xhtml+xml
+    application/xml
+    font/opentype
+    image/bmp
+    image/svg+xml
+    image/x-icon
+    text/cache-manifest
+    text/css
+    text/plain
+    text/vcard
+    text/vnd.rim.location.xloc
+    text/vtt
+    text/x-component
+    text/x-cross-domain-policy;
+  # text/html is always compressed by HttpGzipModule
+
+  # This should be turned on if you are going to have pre-compressed copies (.gz) of
+  # static files available. If not it should be left off as it will cause extra I/O
+  # for the check. It is best if you enable this in a location{} block for
+  # a specific directory, or on an individual server{} level.
+  # gzip_static on;
+  
+  # Content type for FIDO U2F facets
+  map $uri $fido_content_type {
+    default "application/fido.trusted-apps+json";
+  }
+
+  # Include files in the sites-enabled folder. server{} configuration files should be
+  # placed in the sites-available folder, and then the configuration should be enabled
+  # by creating a symlink to it in the sites-enabled folder.
+  # See doc/sites-enabled.md for more info.
+  include conf.d/*.conf;
+}

docker/security-headers.conf

@@ -0,0 +1,3 @@
+add_header Referrer-Policy same-origin;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";