From db11de4e74a62d913841f462eee2ec722afc2885 Mon Sep 17 00:00:00 2001 From: Jannis Gebauer Date: Sat, 7 Sep 2019 12:13:16 +0200 Subject: [PATCH 1/2] run traefik as non-root user, closes #1992 --- .../compose/production/traefik/Dockerfile | 7 +++++++ .../compose/production/traefik/traefik.toml | 4 ++-- {{cookiecutter.project_slug}}/production.yml | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile b/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile index 7088e6fe30..ceaf645d33 100644 --- a/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile +++ b/{{cookiecutter.project_slug}}/compose/production/traefik/Dockerfile @@ -3,3 +3,10 @@ RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json COPY ./compose/production/traefik/traefik.toml /etc/traefik + +RUN addgroup -g 101 -S traefik +RUN adduser -S -D -H -u 101 -s /sbin/nologin -G traefik -g traefik traefik +RUN chown -R traefik /etc/traefik + +USER traefik +EXPOSE 8080/tcp 8443/tcp diff --git a/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml b/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml index 0f2abe8a1c..a64a80c5ce 100644 --- a/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml +++ b/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.toml @@ -5,12 +5,12 @@ defaultEntryPoints = ["http", "https"] [entryPoints] # http should be redirected to https [entryPoints.http] - address = ":80" + address = ":8080" [entryPoints.http.redirect] entryPoint = "https" # https is the default [entryPoints.https] - address = ":443" + address = ":8443" [entryPoints.https.tls] # Enable ACME (Let's Encrypt): automatic SSL diff --git a/{{cookiecutter.project_slug}}/production.yml b/{{cookiecutter.project_slug}}/production.yml index 331cbba685..fc7e6fd36c 100644 --- a/{{cookiecutter.project_slug}}/production.yml +++ b/{{cookiecutter.project_slug}}/production.yml @@ -40,8 +40,8 @@ services: volumes: - production_traefik:/etc/traefik/acme ports: - - "0.0.0.0:80:80" - - "0.0.0.0:443:443" + - "0.0.0.0:80:8080" + - "0.0.0.0:443:8443" redis: image: redis:5.0 From 2688a59471f1460dcfd06456af293f15abacebb4 Mon Sep 17 00:00:00 2001 From: Bruno Alla Date: Sat, 11 Jan 2020 15:43:56 +0000 Subject: [PATCH 2/2] Update ports in traefik.yml --- .../compose/production/traefik/traefik.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.yml b/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.yml index 324c62afa3..35c82bd6f3 100644 --- a/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.yml +++ b/{{cookiecutter.project_slug}}/compose/production/traefik/traefik.yml @@ -4,11 +4,11 @@ log: entryPoints: web: # http - address: ":80" + address: ":8080" web-secure: # https - address: ":443" + address: ":8443" certificatesResolvers: letsencrypt: