From 3b7af7907dcdfc8df30bdfd38d832c47204ba693 Mon Sep 17 00:00:00 2001 From: Sangelo Date: Wed, 24 Apr 2024 17:02:40 +0200 Subject: [PATCH 1/3] Initial work on hardening --- Dockerfile | 8 +++++++- hardening/healthcheck.sh | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 hardening/healthcheck.sh diff --git a/Dockerfile b/Dockerfile index 0dbbdd3..949da5e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,13 +19,19 @@ WORKDIR /app # Copy the build directory from the builder stage to /app COPY --from=builder /git/build /app +# Create a dedicated user 'web' and change ownership of /app to 'web' +RUN addgroup -S web && adduser -S web -G web && chown -R web:web /app + # Caddyfile configuration to serve files from /app RUN echo -e ":80 {\n root * /app\n try_files {path}.html {path}\n file_server\n}" > /etc/caddy/Caddyfile # Expose port 80 EXPOSE 80 -# Start Caddy with the specified Caddyfile +# Switch to the 'web' user +USER web + +# Start Caddy with the specified Caddyfile as the 'web' user CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] # Docker Container Labels diff --git a/hardening/healthcheck.sh b/hardening/healthcheck.sh new file mode 100644 index 0000000..0520ca7 --- /dev/null +++ b/hardening/healthcheck.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Configuration +HEALTH_URL="http://10.1.30.1:8080/health" +NTFY_INSTANCE="https://ntfy.lunivity.com" +NTFY_TOPIC="$NTFY_INSTANCE/mytopic" +CONFIGURABLE_MESSAGE="Something went wrong with the health check." +LOG_FILE="health_check.log" + +# Function to send push notification +send_notification() { + local message="$1" + local priority="$2" + local tags="$3" + curl -H "Title: Health Check Failure" \ + -H "Priority: $priority" \ + -H "Tags: $tags" \ + -d "$message" \ + "$NTFY_TOPIC" + if [ $? -ne 0 ]; then + echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Failed to send push notification" >> "$LOG_FILE" + fi +} + +# Perform curl request +HEALTH_RESPONSE=$(curl -s -w "%{http_code}" "$HEALTH_URL") +HTTP_CODE=$(echo "$HEALTH_RESPONSE" | tail -n1) +CONTENT=$(echo "$HEALTH_RESPONSE" | head -n -1) +if [ "$HTTP_CODE" == "200" ] && [ "$CONTENT" == "OK" ]; then + echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Successful response from health check at '$HEALTH_URL' - Response: 'OK'" >> "$LOG_FILE" +else + echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Failed response from health check at '$HEALTH_URL' - HTTP Code: '$HTTP_CODE' - Content: '$CONTENT'" >> "$LOG_FILE" + echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Sending a push notification..." >> "$LOG_FILE" + send_notification "$CONFIGURABLE_MESSAGE" "urgent" "warning" +fi -- 2.39.2 From 30dbe2505187642d073f582b8e497c8a42f05de4 Mon Sep 17 00:00:00 2001 From: Sangelo Date: Fri, 26 Apr 2024 11:08:30 +0200 Subject: [PATCH 2/3] [a] add healthcheck endpoint to caddyfile config --- Dockerfile | 2 +- docker-compose.build.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 949da5e..2a7d32b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ COPY --from=builder /git/build /app RUN addgroup -S web && adduser -S web -G web && chown -R web:web /app # Caddyfile configuration to serve files from /app -RUN echo -e ":80 {\n root * /app\n try_files {path}.html {path}\n file_server\n}" > /etc/caddy/Caddyfile +RUN echo -e ":80 {\n root * /app\n try_files {path}.html {path}\n file_server\n}\n:8080 {\n respond /health \"OK\" 200\n}" > /etc/caddy/Caddyfile # Expose port 80 EXPOSE 80 diff --git a/docker-compose.build.yml b/docker-compose.build.yml index 23cd6a5..2db1fbb 100644 --- a/docker-compose.build.yml +++ b/docker-compose.build.yml @@ -7,3 +7,5 @@ services: no_cache: true ports: - "3000:80" + - "3080:8080" + -- 2.39.2 From b627cf1d4a5e3976c0fd7c6c8f604b08039906a3 Mon Sep 17 00:00:00 2001 From: Sangelo Date: Fri, 10 May 2024 15:48:42 +0200 Subject: [PATCH 3/3] [d] remove healthcheck script --- hardening/healthcheck.sh | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 hardening/healthcheck.sh diff --git a/hardening/healthcheck.sh b/hardening/healthcheck.sh deleted file mode 100644 index 0520ca7..0000000 --- a/hardening/healthcheck.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash - -# Configuration -HEALTH_URL="http://10.1.30.1:8080/health" -NTFY_INSTANCE="https://ntfy.lunivity.com" -NTFY_TOPIC="$NTFY_INSTANCE/mytopic" -CONFIGURABLE_MESSAGE="Something went wrong with the health check." -LOG_FILE="health_check.log" - -# Function to send push notification -send_notification() { - local message="$1" - local priority="$2" - local tags="$3" - curl -H "Title: Health Check Failure" \ - -H "Priority: $priority" \ - -H "Tags: $tags" \ - -d "$message" \ - "$NTFY_TOPIC" - if [ $? -ne 0 ]; then - echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Failed to send push notification" >> "$LOG_FILE" - fi -} - -# Perform curl request -HEALTH_RESPONSE=$(curl -s -w "%{http_code}" "$HEALTH_URL") -HTTP_CODE=$(echo "$HEALTH_RESPONSE" | tail -n1) -CONTENT=$(echo "$HEALTH_RESPONSE" | head -n -1) -if [ "$HTTP_CODE" == "200" ] && [ "$CONTENT" == "OK" ]; then - echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Successful response from health check at '$HEALTH_URL' - Response: 'OK'" >> "$LOG_FILE" -else - echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Failed response from health check at '$HEALTH_URL' - HTTP Code: '$HTTP_CODE' - Content: '$CONTENT'" >> "$LOG_FILE" - echo "[$(date +"%Y-%m-%d %H:%M:%S")] - Sending a push notification..." >> "$LOG_FILE" - send_notification "$CONFIGURABLE_MESSAGE" "urgent" "warning" -fi -- 2.39.2