-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.wasm
More file actions
108 lines (86 loc) · 4.43 KB
/
Dockerfile.wasm
File metadata and controls
108 lines (86 loc) · 4.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Blazor WebAssembly Dockerfile
# Security Hardened - CVE-free configuration
#
# SECURITY FEATURES:
# - Pinned image versions
# - Non-root nginx user (UID 101)
# - Read-only filesystem compatible
# - Security headers configured
# - Minimal attack surface
#
# Build: docker build -f Dockerfile.wasm -t insightlearn/wasm:2.0.0 .
# =============================================================================
# Stage 1: Build WASM application
# =============================================================================
# SECURITY: Pin to specific version
FROM mcr.microsoft.com/dotnet/sdk:8.0.404-alpine3.20 AS build
LABEL security.stage="build"
WORKDIR /src
# Install WebAssembly workload (REQUIRED for Blazor WASM)
RUN dotnet workload install wasm-tools
# Copy project files (in dependency order: Core -> Shared -> WebAssembly)
COPY ["src/InsightLearn.Core/InsightLearn.Core.csproj", "src/InsightLearn.Core/"]
COPY ["src/InsightLearn.Shared/InsightLearn.Shared.csproj", "src/InsightLearn.Shared/"]
COPY ["src/InsightLearn.WebAssembly/InsightLearn.WebAssembly.csproj", "src/InsightLearn.WebAssembly/"]
RUN dotnet restore "src/InsightLearn.WebAssembly/InsightLearn.WebAssembly.csproj"
# Copy source code
COPY . .
WORKDIR "/src/src/InsightLearn.WebAssembly"
# Build and publish (disable AOT for faster builds and compatibility)
RUN dotnet build "InsightLearn.WebAssembly.csproj" -c Release -o /app/build /maxcpucount:1
RUN dotnet publish "InsightLearn.WebAssembly.csproj" -c Release -o /app/publish \
/p:UseAppHost=false \
/p:RunAOTCompilation=false \
/p:WasmBuildNative=false
# =============================================================================
# Stage 2: Production nginx with security hardening
# =============================================================================
# SECURITY: Pin to specific version - use unprivileged nginx
FROM docker.io/library/nginx:1.27.3-alpine AS final
# Security labels
LABEL org.opencontainers.image.source="https://github.com/insightlearn/insightlearn"
LABEL org.opencontainers.image.vendor="InsightLearn"
LABEL org.opencontainers.image.title="InsightLearn WASM Frontend"
LABEL security.hardened="true"
LABEL security.non-root="true"
WORKDIR /usr/share/nginx/html
# SECURITY: Create writable directories for nginx runtime
# Note: /tmp is already writable for logs in read-only filesystem mode
RUN mkdir -p /var/cache/nginx/client_temp \
/var/cache/nginx/proxy_temp \
/var/cache/nginx/fastcgi_temp \
/var/cache/nginx/uwsgi_temp \
/var/cache/nginx/scgi_temp \
/var/run \
/tmp/nginx && \
# Set ownership to nginx user (UID 101 in alpine nginx)
chown -R nginx:nginx /var/cache/nginx /var/run /usr/share/nginx/html /tmp/nginx && \
chmod -R 755 /var/cache/nginx /tmp/nginx
# Copy published WASM files with correct ownership
COPY --from=build --chown=nginx:nginx /app/publish/wwwroot .
# Fix file permissions (ensure readable by nginx)
RUN find . -type f -exec chmod 644 {} \; && \
find . -type d -exec chmod 755 {} \;
# Copy IndexNow verification file (for Bing/Yandex instant indexing)
COPY --from=build --chown=nginx:nginx /src/src/InsightLearn.WebAssembly/wwwroot/ebd57a262cfe8ff8de852eba65288c19.txt ./ebd57a262cfe8ff8de852eba65288c19.txt
# Copy custom JavaScript files
COPY --from=build --chown=nginx:nginx /src/src/InsightLearn.WebAssembly/wwwroot/js/httpClient.js ./js/httpClient.js
# Copy appsettings.json and nginx config from docker/ directory
COPY --chown=nginx:nginx docker/wasm-appsettings.json /usr/share/nginx/html/appsettings.json
COPY --chown=nginx:nginx docker/wasm-nginx.conf /etc/nginx/conf.d/default.conf
# Copy SSL certificates for HTTPS support (read-only)
COPY --chown=nginx:nginx docker/certs/tls.crt /etc/nginx/certs/tls.crt
COPY --chown=nginx:nginx docker/certs/tls.key /etc/nginx/certs/tls.key
RUN chmod 400 /etc/nginx/certs/tls.key
# SECURITY: Remove unnecessary files and clean up
# Note: Do NOT remove index.html as it is needed for Blazor WASM
RUN rm -rf /var/cache/apk/* /tmp/*
# SECURITY: Configure nginx to run as non-root with writable pid file
RUN sed -i 's/^user nginx;/#user nginx;/' /etc/nginx/nginx.conf && \
sed -i 's|pid /var/run/nginx.pid;|pid /tmp/nginx.pid;|' /etc/nginx/nginx.conf
# SECURITY: Switch to non-root user
USER 101:101
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
CMD wget --quiet --tries=1 --spider http://localhost/ || exit 1
EXPOSE 80