一、内容说明

+

在处理安全问题，需要nginx以非root用户运行，我们可以修改nginx的镜像，按照下面的Dockerfile来构建非root用户运行的nginx镜像如果是nginx用户启动，不是root用户，80端口是不允许使用的，所以修改为1000以上的端口号才行，我这里直接开放8080，是设置自己写的。

+

二、Dockerfile

下面是Dockerfile文件内容，直接套用：

# Base image
FROM nginx:alpine

LABEL MAINTAINER - Andy zhang

# Create resource dir
RUN mkdir /usr/share/nginx/html/dist

# Grant authorization
RUN mkdir -p /var/cache/nginx && chown -R nginx:nginx /var/cache/nginx && \
    mkdir -p /var/log/nginx  && chown -R nginx:nginx /var/log/nginx && \
    mkdir -p /var/lib/nginx  && chown -R nginx:nginx /var/lib/nginx && \
    chown -R nginx:nginx /etc/nginx && \
    touch /run/nginx.pid && chown -R nginx:nginx /run/nginx.pid && \
    chown -R nginx:nginx /etc/nginx &&  chmod -R 777 /etc/nginx/

# add custom configuration file
COPY default.conf /etc/nginx/conf.d/default.conf

# Copy the frontend built files to container
COPY dist.zip /tmp/

# Extract files
WORKDIR /tmp
RUN unzip dist.zip -d /usr/share/nginx/html/dist/


# run as the nginx user
USER nginx

# Expose port 8080
EXPOSE 8080
 
# Start Nginx
CMD ["nginx", "-g", "daemon off;"]

 注意：这里的nginx用户，是镜像中原本就带有的用户。不需要单独创建。

三、nginx配置

自定义default.conf文件

server {
    
	listen       8080;
  server_name  localhost;
	
	# timeout settings 
  proxy_connect_timeout 600;
  proxy_send_timeout 600;
  proxy_read_timeout 600;

	proxy_set_header  X-Real-IP  $remote_addr;
	proxy_set_header Host $host:$server_port;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	client_max_body_size 100m;

  location /nginxstatus {
              stub_status on;
  }


  # 处理前端请求
  location / {
      root /usr/share/nginx/html/dist;
      index index.html;
      try_files $uri $uri/ /index.html;
  }


    # 处理/swagger-config的请求
    location /v3 {
        proxy_pass http://127.0.0.1:8091; # 替换为后端服务器地址
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        # 可以根据需要添加更多代理相关的头部设置
    }

    # 处理后端请求
    location /api/{                                      
        proxy_pass http://127.0.0.1:8091;
      #后端获取用户真实IP
        proxy_set_header  Host  $host;
        proxy_set_header  X-Real-IP  $remote_addr;                                                                                         
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
      #支持websocket                  
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";     
    }

}

四、构建镜像和运行

这里自己构建镜像然后推送到自己的仓库。

运行日志

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/10/28 02:11:04 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2024/10/28 02:11:04 [notice] 1#1: using the "epoll" event method
2024/10/28 02:11:04 [notice] 1#1: nginx/1.24.0
2024/10/28 02:11:04 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4) 
2024/10/28 02:11:04 [notice] 1#1: OS: Linux 5.10.226-214.879.amzn2.x86_64
2024/10/28 02:11:04 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024/10/28 02:11:04 [notice] 1#1: start worker processes
2024/10/28 02:11:04 [notice] 1#1: start worker process 24
2024/10/28 02:11:04 [notice] 1#1: start worker process 25
2024/10/28 02:11:04 [notice] 1#1: start worker process 26
2024/10/28 02:11:04 [notice] 1#1: start worker process 27
2024/10/28 02:11:04 [notice] 1#1: start worker process 28
2024/10/28 02:11:04 [notice] 1#1: start worker process 30
2024/10/28 02:11:04 [notice] 1#1: start worker process 31
2024/10/28 02:11:04 [notice] 1#1: start worker process 32
2024/10/28 02:11:04 [notice] 1#1: start worker process 35
2024/10/28 02:11:04 [notice] 1#1: start worker process 37
2024/10/28 02:11:04 [notice] 1#1: start worker process 38
2024/10/28 02:11:04 [notice] 1#1: start worker process 39
2024/10/28 02:11:04 [notice] 1#1: start worker process 40
2024/10/28 02:11:04 [notice] 1#1: start worker process 41
2024/10/28 02:11:04 [notice] 1#1: start worker process 42
2024/10/28 02:11:04 [notice] 1#1: start worker process 43