Merge pull request #965 from opencb/TASK-6559

TASK-6559 - Security: IVA Docker - Avoid port 80 and Root privileges
opencb · Dec 17, 2024 · 5126999 · 5126999
2 parents 1ae3737 + e2bb047
commit 5126999
Show file tree

Hide file tree

Showing 3 changed files with 580 additions and 6 deletions.
diff --git a/docker/iva-app/Dockerfile b/docker/iva-app/Dockerfile
@@ -1,8 +1,10 @@
 FROM httpd:2.4-bullseye
+## Custom httpd.conf file to update exposed port from 80 to 8080
+COPY ./docker/iva-app/custom-httpd.conf /usr/local/apache2/conf/httpd.conf
 
 ## To run the docker use:
 ## docker build -f ./docker/iva-app/Dockerfile -t iva-httpd .
-## docker run --name jsorolla -p 8888:80 opencb/iva-app
+## docker run --name jsorolla -p 8888:8080 opencb/iva-app
 ## Then open:  http://localhost:8888/iva o http://localhost:8888/api
 
 LABEL org.label-schema.vendor="OpenCB" \
@@ -15,20 +17,24 @@ LABEL org.label-schema.vendor="OpenCB" \
 ## Update and create iva user
 RUN apt-get update && apt-get -y upgrade && \
     apt-get install -y vim jq && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/* && \
+    chown -R www-data /usr/local/apache2/logs/
 
 ## Allow to build different images by passing the path to the SITE
 ARG     SITE=src/sites
 
 ## Copy files
 ## IVA
-COPY    ./build/iva                 /usr/local/apache2/htdocs/iva
-COPY    ./${SITE}/iva/conf          /usr/local/apache2/htdocs/iva/conf/
-COPY    ./${SITE}/iva/img           /usr/local/apache2/htdocs/iva/img/
+COPY --chown=www-data   ./build/iva              /usr/local/apache2/htdocs/iva
+COPY --chown=www-data   ./${SITE}/iva/conf       /usr/local/apache2/htdocs/iva/conf/
+COPY --chown=www-data   ./${SITE}/iva/img        /usr/local/apache2/htdocs/iva/img/
 
 RUN true
 
+## Run Docker images as non root
+USER www-data
+
 ## Genome Maps (Coming soon  :-) )
 #COPY    ./build/genome-maps                 /usr/local/apache2/htdocs/genome-maps
 
-ENTRYPOINT ["httpd-foreground"]
+ENTRYPOINT ["httpd-foreground"]
diff --git a/docker/iva-app/README.md b/docker/iva-app/README.md
@@ -0,0 +1,17 @@
+# How to update this docker
+
+If you want to update the base image https://hub.docker.com/_/httpd , it is necesary repeat this steps
+
+To customize the configuration of the httpd server, first obtain the upstream default configuration from the container:
+
+```bash
+docker run --rm httpd:2.4-bullseye cat /usr/local/apache2/conf/httpd.conf > ./docker/iva-app/custom-httpd.conf
+```
+
+And then change custom-httpd.conf 
+
+```
+Listen 8080
+```
+
+