breaking(setup): use non-root image for immich-proxy (#651)

* feat(nginx): use non-root container for immich-proxy

Signed-off-by: PixelJonas <5434875+PixelJonas@users.noreply.github.com>

* re-add test env

* feat(nginx): add correct port for staging

* add the new port to the default docker-compose.yml

Signed-off-by: PixelJonas <5434875+PixelJonas@users.noreply.github.com>

docker/.env.test

@@ -19,4 +19,4 @@ ENABLE_MAPBOX=false
 
 # WEB
 MAPBOX_KEY=
-VITE_SERVER_ENDPOINT=http://localhost:2283/api
+VITE_SERVER_ENDPOINT=http://localhost:2283/api

docker/docker-compose.dev.yml

@@ -102,8 +102,7 @@ services:
       context: ../nginx
       dockerfile: Dockerfile
     ports:
-      - 2283:80
-      - 2284:443
+      - 2283:8080
     logging:
       driver: none
     depends_on:

docker/docker-compose.staging.yml

@@ -72,8 +72,7 @@ services:
     container_name: immich_proxy
     image: altran1502/immich-proxy:staging
     ports:
-      - 2283:80
-      - 2284:443
+      - 2283:8080
     logging:
       driver: none
     depends_on:

docker/docker-compose.yml

@@ -74,7 +74,7 @@ services:
     container_name: immich_proxy
     image: altran1502/immich-proxy:release
     ports:
-      - 2283:80
+      - 2283:8080
     logging:
       driver: none
     depends_on:

nginx/Dockerfile

@@ -1,6 +1,5 @@
-FROM nginx:latest
+FROM registry.access.redhat.com/ubi9/nginx-120:latest
 
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY nginx.conf "${NGINX_CONF_PATH}"
 
-EXPOSE 80
-EXPOSE 443
+CMD nginx -g "daemon off;"

nginx/nginx.conf

@@ -1,73 +1,87 @@
 
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  '' close;
-}
-
-# events {
-#   worker_connections 1000;
-# }
-
-server {
-
-  gzip on;
-  gzip_min_length 1000;
-  gunzip on;
 
-  client_max_body_size 50000M;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
 
-  listen 80;
-  access_log off;
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
 
-  location /api {
+events {
+    worker_connections 1024;
+}
 
-    # Compression
-    gzip_static on;
-    gzip_min_length 1000;
-    gzip_comp_level 2;
-
-    proxy_buffering off;
-    proxy_buffer_size 16k;
-    proxy_busy_buffers_size 24k;
-    proxy_buffers 64 4k;
-    proxy_force_ranges on;
-
-    proxy_http_version 1.1;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_set_header Host $host;
-
-    rewrite /api/(.*) /$1 break;
-
-    proxy_pass http://immich-server:3001;
+http {
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
   }
 
-  location / {
+  # events {
+  #   worker_connections 1000;
+  # }
 
-    # Compression
-    gzip_static on;
+  server {
+
+    gzip on;
     gzip_min_length 1000;
-    gzip_comp_level 2;
-
-    proxy_buffering off;
-    proxy_buffer_size 16k;
-    proxy_busy_buffers_size 24k;
-    proxy_buffers 64 4k;
-    proxy_force_ranges on;
-
-    proxy_http_version 1.1;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    proxy_set_header Host $host;
-
-    proxy_pass http://immich-web:3000;
+    gunzip on;
+
+    client_max_body_size 50000M;
+
+    listen 8080;
+    access_log off;
+
+    location /api {
+
+      # Compression
+      gzip_static on;
+      gzip_min_length 1000;
+      gzip_comp_level 2;
+
+      proxy_buffering off;
+      proxy_buffer_size 16k;
+      proxy_busy_buffers_size 24k;
+      proxy_buffers 64 4k;
+      proxy_force_ranges on;
+
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $host;
+
+      rewrite /api/(.*) /$1 break;
+
+      proxy_pass http://immich-server:3001;
+    }
+
+    location / {
+
+      # Compression
+      gzip_static on;
+      gzip_min_length 1000;
+      gzip_comp_level 2;
+
+      proxy_buffering off;
+      proxy_buffer_size 16k;
+      proxy_busy_buffers_size 24k;
+      proxy_buffers 64 4k;
+      proxy_force_ranges on;
+
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $host;
+
+      proxy_pass http://immich-web:3000;
+    }
   }
-}
+}