v1.4.0 (#6)

## Summary

This PR improves the containerized deployment with a focus on security,
performance, and maintainability, while keeping a single-container setup
suitable for low-resource and free hosting environments.

> No application logic was changed.

## Changes

### Runtime & Architecture

- Switch application runtime to ASGI using gunicorn +
uvicorn.workers.UvicornWorker

### Remove dependency on Django Channels (no WebSocket usage)

- Keep Django running in ASGI mode for improved concurrency and future
compatibility

### Security

- Run nginx and the application as a non-root user
- Use a local, non-root-friendly nginx.conf
- Avoid runtime mutation of system configuration files
- Remove sensitive files (.env, .secret) during build
- Add a concise SECURITY.md with responsible disclosure guidance (hobby
project, no SLA)

### Performance & Image Size

- Switch base image to python:3.11-alpine
- Reduce image size and build time
- Improve Docker layer caching by installing dependencies before copying
source code

### Maintenance & Cleanup

- Simplify entrypoint.sh (no fixed sleep, no sed or chown at runtime)
- Ensure clean shutdown by running nginx as PID 1
- Keep configuration minimal and explicit

## Notes

- Designed for environments where docker-compose is not available
- HTTP-only by design (no WebSocket support)
- Suitable for hobby and personal projects without guaranteed SLAs

Author: BrunoRNS

Dockerfile

@@ -1,43 +1,54 @@
-FROM python:3.11-slim-bookworm
+FROM python:3.11-alpine
 
-ENV PYTHONDONTWRITEBYTECODE 1
-ENV PYTHONUNBUFFERED 1
-ENV VIRTUAL_ENV=/opt/venv
-ENV PATH="$VIRTUAL_ENV/bin:$PATH"
-ENV DEBUG=False
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends nginx python3-venv && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN python -m venv $VIRTUAL_ENV
-
-RUN groupadd -r nginxgroup && \
-    useradd -r -g nginxgroup -s /bin/false nginxuser
-
-RUN mkdir -p /run/nginx && \
-    chown -R nginxuser:nginxgroup /run/nginx /var/log/nginx /var/lib/nginx
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    VIRTUAL_ENV=/opt/venv \
+    PATH="/opt/venv/bin:$PATH" \
+    DEBUG=False
+    
+RUN apk add --no-cache \
+        nginx \
+        bash \
+        ca-certificates \
+        libffi \
+        libffi-dev \
+        openssl \
+        openssl-dev \
+        libsodium \
+        linux-headers \
+        gcc \
+        musl-dev \
+        cargo \
+    && python -m venv /opt/venv \
+    && addgroup -S nginxgroup \
+    && adduser -S nginxuser -G nginxgroup \
+    && mkdir -p \
+        /run/nginx \
+        /var/log/nginx \
+        /var/lib/nginx \
+    && chown -R nginxuser:nginxgroup \
+        /run/nginx \
+        /var/log/nginx \
+        /var/lib/nginx
 
 WORKDIR /app
 
 COPY requirements.txt .
-RUN /opt/venv/bin/pip install --no-cache-dir -r requirements.txt
+RUN pip install --upgrade pip wheel \
+    && pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
-RUN /opt/venv/bin/python manage.py collectstatic --noinput && \
-    find . -type f -name '*.env' -delete && \
-    find . -type f -name '*.secret' -delete
+RUN python manage.py collectstatic --noinput \
+    && find . -type f \( -name '*.env' -o -name '*.secret' \) -delete
 
-RUN rm -f /etc/nginx/sites-enabled/default
+RUN rm -f /etc/nginx/http.d/default.conf
 COPY nginx.conf /etc/nginx/nginx.conf
 
 COPY entrypoint.sh /app/entrypoint.sh
-
-RUN chmod 755 /app/entrypoint.sh && \
-    chmod a-w /app/entrypoint.sh
-    
-RUN chown -R nginxuser:nginxgroup /app
+RUN chown nginxuser:nginxgroup /app/entrypoint.sh \
+    && chmod 550 /app/entrypoint.sh \
+    && chown -R nginxuser:nginxgroup /app
 
 EXPOSE 8080
 

README.md

@@ -22,7 +22,7 @@ You can visit my portfolio online at [My Portfolio](https://myportfolio-kn09.onr
 
 #### Prerequisites
 
-- Python 3.11 or 3.12
+- Python 3.11+
 - python3-virtualenv or python3-venv
 - Redis (for caching)
 - Docker (optional)

SECURITY.md

@@ -0,0 +1,45 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you believe you have found a security issue in this project, please **do not open a public issue**.
+
+Instead, report it privately using one of the contacts below:
+
+- **Email:** brunoriansouza@gmail.com
+
+Please include:
+
+* A brief description of the issue
+* Steps to reproduce (if possible)
+* Potential impact
+
+This is a **hobby project**. I will respond **as soon as possible**, but **no response time is guaranteed**.
+
+## Supported Versions
+
+Only the **latest version** of this project is supported.
+
+Older versions do not receive security updates.
+
+## Scope and Disclaimer
+
+This project is provided **as-is**, without any warranty or guarantee of security.
+
+The following are generally out of scope:
+
+- Issues caused by misconfiguration or improper deployment
+- Vulnerabilities in third-party services or dependencies
+- Denial-of-service attacks
+
+Users are responsible for deploying and running this software securely.
+
+## Responsible Disclosure
+
+Please:
+
+- Act in good faith
+- Avoid publicly disclosing vulnerabilities before a fix is available
+- Do not exploit issues beyond a proof of concept
+
+Thank you for helping keep this project safer.

docs/LICENSE.md

@@ -1,6 +1,6 @@
 # GNU GENERAL PUBLIC LICENSE
 
-![Icon](./icon.png)
+![Icon](docs/icon.png)
 
 Version 3, 29 June 2007
 
@@ -674,4 +674,4 @@ program into proprietary programs. If your program is a subroutine
 library, you may consider it more useful to permit linking proprietary
 applications with the library. If this is what you want to do, use the
 GNU Lesser General Public License instead of this License. But first,
-please read <https://www.gnu.org/licenses/why-not-lgpl.html>.
+please read <https://www.gnu.org/licenses/why-not-lgpl.html>.

entrypoint.sh

@@ -1,20 +1,10 @@
-#!/bin/bash
+#!/bin/sh
+set -e
 
-PORT=${PORT:-8080}
-
-sed -i "s/listen 8080;/listen $PORT;/" /etc/nginx/nginx.conf
-
-mkdir -p /run/nginx
-chown nginxuser:nginxgroup /run/nginx
-
-/opt/venv/bin/gunicorn \
+ /opt/venv/bin/gunicorn \
+    server.asgi:application \
     --bind 0.0.0.0:8000 \
-    --workers 3 \
-    --worker-class gthread \
-    --threads 2 \
-    --timeout 30 \
-    server.wsgi &
-
-sleep 5
+    --workers 2 \
+    --worker-class uvicorn.workers.UvicornWorker &
 
 exec nginx -g "daemon off;"

nginx.conf

@@ -24,27 +24,35 @@ http {
     server {
         listen 8080;
         server_name _;
-        
+
         location ~* ^/(\.env|__debug__|debug|env|secrets) {
             deny all;
             return 403;
         }
 
         location / {
-            proxy_pass http://localhost:8000;
+            proxy_pass http://127.0.0.1:8000;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-            
+
             proxy_connect_timeout 15s;
             proxy_read_timeout 30s;
             proxy_send_timeout 30s;
         }
 
         server_tokens off;
+
         add_header X-Content-Type-Options "nosniff";
         add_header X-Frame-Options "DENY";
         add_header Referrer-Policy "same-origin";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Permissions-Policy "geolocation=()";
     }
 }