Skip to content

Commit 9e9b36c

Browse files
jk464jk464
committed
Allow st2web to run as non-root w/o privileges
1 parent cebea8d commit 9e9b36c

File tree

3 files changed

+82
-44
lines changed

3 files changed

+82
-44
lines changed

st2web/Dockerfile

+3-2
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,8 @@ RUN if [ "${ST2_VERSION#*dev}" != "${ST2_VERSION}" ]; then \
7676
# It's a user's responsbility to pass the valid SSL certificate files: 'st2.key' and 'st2.crt', used in nginx
7777
VOLUME ["/etc/ssl/st2/"]
7878

79-
EXPOSE 80
80-
EXPOSE 443
79+
EXPOSE 8080
80+
EXPOSE 8443
8181
STOPSIGNAL SIGTERM
82+
RUN touch /var/run/nginx.pid && chown 101:101 /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid
8283
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]

st2web/files/st2.conf-http.patch

+27-25
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,24 @@
1-
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
2-
+++ st2.http.conf 2021-06-18 19:50:00.098280995 +0100
3-
@@ -8,44 +8,18 @@
4-
1+
--- st2.conf 2023-09-01 16:31:41.000000000 +0100
2+
+++ st2.http.conf 2023-09-01 16:33:45.000000000 +0100
3+
@@ -7,45 +7,19 @@
4+
# see https://docs.stackstorm.com/install.html for details
5+
56
server {
6-
listen *:80 default_server;
7+
- listen *:80 default_server;
8+
+ listen *:8080 default_server;
79
+ server_tokens off;
8-
10+
911
- add_header Front-End-Https on;
1012
add_header X-Content-Type-Options nosniff;
11-
13+
1214
- if ($ssl_protocol = "") {
1315
- return 308 https://$host$request_uri;
1416
- }
15-
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
16-
return 405;
17-
}
18-
index index.html;
19-
17+
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
18+
- return 405;
19+
- }
20+
- index index.html;
21+
-
2022
- access_log /var/log/nginx/st2webui.access.log combined;
2123
- error_log /var/log/nginx/st2webui.error.log;
2224
-}
@@ -25,9 +27,9 @@
2527
- listen *:443 ssl;
2628
- server_tokens off;
2729
-
28-
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
29-
- return 405;
30-
- }
30+
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
31+
return 405;
32+
}
3133
-
3234
- ssl_certificate /etc/ssl/st2/st2.crt;
3335
- ssl_certificate_key /etc/ssl/st2/st2.key;
@@ -37,41 +39,41 @@
3739
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
3840
- ssl_prefer_server_ciphers on;
3941
-
40-
- index index.html;
41-
-
42+
index index.html;
43+
4244
- access_log /var/log/nginx/ssl-st2webui.access.log combined;
4345
- error_log /var/log/nginx/ssl-st2webui.error.log;
4446
+ access_log /proc/self/fd/1 combined;
4547
+ error_log stderr;
46-
48+
4749
- add_header Front-End-Https on;
4850
add_header X-Content-Type-Options nosniff;
4951
add_header X-Frame-Options DENY always;
5052
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
5153
@@ -61,7 +35,7 @@
52-
54+
5355
rewrite ^/api/(.*) /$1 break;
54-
56+
5557
- proxy_pass http://127.0.0.1:9101/;
5658
+ proxy_pass ${ST2_API_URL};
5759
proxy_read_timeout 90;
5860
proxy_connect_timeout 90;
5961
proxy_redirect off;
6062
@@ -99,7 +73,7 @@
61-
63+
6264
rewrite ^/stream/(.*) /$1 break;
63-
65+
6466
- proxy_pass http://127.0.0.1:9102/;
6567
+ proxy_pass ${ST2_STREAM_URL};
6668
proxy_set_header Host $host;
6769
proxy_set_header X-Real-IP $remote_addr;
6870
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6971
@@ -138,7 +112,7 @@
70-
72+
7173
rewrite ^/auth/(.*) /$1 break;
72-
74+
7375
- proxy_pass http://127.0.0.1:9100/;
7476
+ proxy_pass ${ST2_AUTH_URL};
7577
proxy_read_timeout 90;
7678
proxy_connect_timeout 90;
77-
proxy_redirect off;
79+
proxy_redirect off;

st2web/files/st2.conf-https.patch

+52-17
Original file line numberDiff line numberDiff line change
@@ -1,51 +1,86 @@
1-
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
2-
+++ st2.https.conf 2021-06-18 19:45:50.884196198 +0100
3-
@@ -20,8 +20,8 @@
1+
--- st2.conf 2023-09-18 15:03:31.000000000 +0100
2+
+++ st2.https.conf 2023-09-18 15:12:35.000000000 +0100
3+
@@ -7,7 +7,7 @@
4+
# see https://docs.stackstorm.com/install.html for details
5+
6+
server {
7+
- listen *:80 default_server;
8+
+ listen *:8080 default_server;
9+
10+
add_header Front-End-Https on;
11+
add_header X-Content-Type-Options nosniff;
12+
@@ -20,12 +20,12 @@
413
}
514
index index.html;
6-
15+
716
- access_log /var/log/nginx/st2webui.access.log combined;
817
- error_log /var/log/nginx/st2webui.error.log;
918
+ access_log /proc/self/fd/1 combined;
1019
+ error_log stderr;
1120
}
12-
21+
1322
server {
23+
- listen *:443 ssl;
24+
+ listen *:8443 ssl;
25+
server_tokens off;
26+
27+
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
1428
@@ -42,8 +42,8 @@
15-
29+
1630
index index.html;
17-
31+
1832
- access_log /var/log/nginx/ssl-st2webui.access.log combined;
1933
- error_log /var/log/nginx/ssl-st2webui.error.log;
2034
+ access_log /proc/self/fd/1 combined;
2135
+ error_log stderr;
22-
36+
2337
add_header Front-End-Https on;
2438
add_header X-Content-Type-Options nosniff;
25-
@@ -61,7 +61,7 @@
26-
39+
@@ -61,10 +61,11 @@
40+
2741
rewrite ^/api/(.*) /$1 break;
28-
42+
2943
- proxy_pass http://127.0.0.1:9101/;
3044
+ proxy_pass ${ST2_API_URL};
3145
proxy_read_timeout 90;
3246
proxy_connect_timeout 90;
3347
proxy_redirect off;
34-
@@ -99,7 +99,7 @@
35-
48+
+ proxy_ssl_verify off;
49+
50+
proxy_set_header Host $host;
51+
proxy_set_header X-Real-IP $remote_addr;
52+
@@ -99,12 +100,13 @@
53+
3654
rewrite ^/stream/(.*) /$1 break;
37-
55+
3856
- proxy_pass http://127.0.0.1:9102/;
3957
+ proxy_pass ${ST2_STREAM_URL};
4058
proxy_set_header Host $host;
4159
proxy_set_header X-Real-IP $remote_addr;
4260
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43-
@@ -138,7 +138,7 @@
44-
61+
proxy_read_timeout 200;
62+
proxy_connect_timeout 200;
63+
+ proxy_ssl_verify off;
64+
65+
sendfile on;
66+
tcp_nopush on;
67+
@@ -138,10 +140,11 @@
68+
4569
rewrite ^/auth/(.*) /$1 break;
46-
70+
4771
- proxy_pass http://127.0.0.1:9100/;
4872
+ proxy_pass ${ST2_AUTH_URL};
4973
proxy_read_timeout 90;
5074
proxy_connect_timeout 90;
5175
proxy_redirect off;
76+
+ proxy_ssl_verify off;
77+
78+
proxy_set_header Host $host;
79+
proxy_set_header X-Real-IP $remote_addr;
80+
@@ -164,4 +167,4 @@
81+
tcp_nopush on;
82+
tcp_nodelay on;
83+
}
84+
-}
85+
+}
86+
\ No newline at end of file

0 commit comments

Comments
 (0)