run traefik as non-root user, closes #1992

2024-11-15 06:08:38 +03:00 · 2019-09-07 12:13:16 +02:00 · 2019-09-07 12:13:16 +02:00 · db11de4e74
commit db11de4e74
parent bcf8ec3e89
3 changed files with 11 additions and 4 deletions
--- a/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile
+++ b/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile
@ -3,3 +3,10 @@ RUN mkdir -p /etc/traefik/acme
 RUN touch /etc/traefik/acme/acme.json
 RUN chmod 600 /etc/traefik/acme/acme.json
 COPY ./compose/production/traefik/traefik.toml /etc/traefik
+
+RUN addgroup -g 101 -S traefik
+RUN adduser -S -D -H -u 101 -s /sbin/nologin -G traefik -g traefik traefik
+RUN chown -R traefik /etc/traefik
+
+USER traefik
+EXPOSE 8080/tcp 8443/tcp
--- a/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml
+++ b/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml
@ -5,12 +5,12 @@ defaultEntryPoints = ["http", "https"]
 [entryPoints]
  # http should be redirected to https
  [entryPoints.http]
-  address = ":80"
+  address = ":8080"
    [entryPoints.http.redirect]
    entryPoint = "https"
  # https is the default
  [entryPoints.https]
-  address = ":443"
+  address = ":8443"
    [entryPoints.https.tls]

 # Enable ACME (Let's Encrypt): automatic SSL
--- a/{{cookiecutter.project_slug}}/production.yml
+++ b/{{cookiecutter.project_slug}}/production.yml
@ -40,8 +40,8 @@ services:
    volumes:
      - production_traefik:/etc/traefik/acme
    ports:
-      - "0.0.0.0:80:80"
-      - "0.0.0.0:443:443"
+      - "0.0.0.0:80:8080"
+      - "0.0.0.0:443:8443"

  redis:
    image: redis:5.0