switch from lighttp to nginx for the homepage

Author: grimbough

homepage/Dockerfile

@@ -1,28 +1,22 @@
-FROM alpine:3.17
+FROM nginxinc/nginx-unprivileged:alpine3.21-perl 
+LABEL maintainer "Mike Smith <mike.smith@embl.de>"
+ENV TZ="Europe/Berlin"
 
-RUN apk update \
-    && apk add lighttpd bash \
-    && rm -rf /var/cache/apk/*
+COPY nginx.conf /etc/nginx/conf.d/default.conf
 
-COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
-
-RUN mkdir -p /var/www/localhost/htdocs /var/shared
-WORKDIR /var/www/localhost/htdocs
+WORKDIR /var/www/html
 
+ADD images/favicon.tar.gz ./
 COPY images images/
-RUN tar xzvf images/favicon.tar.gz
 
 COPY css css/
-
 COPY html/* ./
 
+USER root
 ## This is just a symlink.  
 ## The actual file is created on a shared PVC by the git updater job
 RUN ln -s /var/shared/sitemap.txt sitemap.txt
 RUN ln -s /var/shared/robots.txt robots.txt
+USER nginx
 
-RUN touch /run/lighttpd.pid && chown -R 100:100 /run/lighttpd.pid
-
-USER lighttpd
-
-CMD ["lighttpd", "-D", "-f", "/etc/lighttpd/lighttpd.conf"]
+EXPOSE 8080

homepage/html/about.html

@@ -129,10 +129,7 @@ <h4>Why we collect data</h4>
     <span class="text-muted"></span>
 </div>
 </footer>
-<script
-  src="https://code.jquery.com/jquery-3.7.0.slim.min.js"
-  integrity="sha256-tG5mcZUtJsZvyKAxYLVXrmjKBVLd6VpVccqz/r4ypFE="
-  crossorigin="anonymous"></script>
+<script src="https://code.jquery.com/jquery-3.7.0.slim.min.js" integrity="sha256-tG5mcZUtJsZvyKAxYLVXrmjKBVLd6VpVccqz/r4ypFE=" crossorigin="anonymous"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.1/umd/popper.min.js" integrity="sha512-ubuT8Z88WxezgSqf3RLuNi5lmjstiJcyezx34yIU2gAHonIi27Na7atqzUZCOoY4CExaoFumzOsFQ2Ch+I/HCw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js" integrity="sha384-+sLIOodYLS7CIrQpBjl+C7nPvqq+FbNUBDunl/OZv93DB7Ln/533i8e/mZXLi/P+" crossorigin="anonymous"></script>
 </body>

homepage/html/index.html

@@ -110,10 +110,7 @@ <h1 class="card-title">Code Search</h1>
     <span class="text-muted"></span>
   </div>
 </footer>
-<script
-  src="https://code.jquery.com/jquery-3.7.0.slim.min.js"
-  integrity="sha256-tG5mcZUtJsZvyKAxYLVXrmjKBVLd6VpVccqz/r4ypFE="
-  crossorigin="anonymous"></script>
+<script src="https://code.jquery.com/jquery-3.7.0.slim.min.js" integrity="sha256-tG5mcZUtJsZvyKAxYLVXrmjKBVLd6VpVccqz/r4ypFE=" crossorigin="anonymous"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.1/umd/popper.min.js" integrity="sha512-ubuT8Z88WxezgSqf3RLuNi5lmjstiJcyezx34yIU2gAHonIi27Na7atqzUZCOoY4CExaoFumzOsFQ2Ch+I/HCw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js" integrity="sha384-+sLIOodYLS7CIrQpBjl+C7nPvqq+FbNUBDunl/OZv93DB7Ln/533i8e/mZXLi/P+" crossorigin="anonymous"></script>
 </body>

homepage/nginx.conf

@@ -0,0 +1,88 @@
+geo $blocked_ips  {
+  104.206.97.90    1;          # add as many single IPs
+  default          0;          # everybody else
+}
+
+server {
+  listen 8080 default;
+
+  root /var/www/html;
+  access_log /var/log/nginx/access_home.log;
+  error_log /var/log/nginx/error_home.log;
+  set $fpm_backend 127.0.0.1;
+
+  location / {
+    index index.html;
+  }
+
+  # Basic configuration
+  expires off;
+  server_tokens off;
+  client_max_body_size 4m;
+  keepalive_timeout 20s;
+  sendfile on;
+  tcp_nopush on;
+
+  # Forwarding EMBL ingress IP addresses to the access logs
+  set_real_ip_from 10.133.0.0/16;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  # Security
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header X-Content-Type-Options nosniff always;
+  add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+  # Performance
+  gzip on;
+  gzip_comp_level 5;
+  gzip_min_length 256;
+  gzip_proxied any;
+  gzip_vary on;
+  gzip_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/ld+json
+    application/manifest+json
+    application/rss+xml
+    application/geo+json
+    application/vnd.ms-fontobject
+    application/x-web-app-manifest+json
+    application/xhtml+xml
+    application/xml
+    application/rdf+xml
+    font/otf
+    application/wasm
+    image/bmp
+    image/svg+xml
+    text/cache-manifest
+    text/css
+    text/javascript
+    text/plain
+    text/markdown
+    text/vcard
+    text/calendar
+    text/vnd.rim.location.xloc
+    text/vtt
+    text/x-component
+    text/x-cross-domain-policy;
+
+  # Content types
+  include mime.types;
+  charset utf-8;
+  charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    text/javascript
+    text/markdown
+    text/calendar
+    text/x-component
+    text/vcard
+    text/cache-manifest
+    text/vtt
+    application/json
+    application/manifest+json;
+}

kubernetes/deployment.yaml

@@ -229,13 +229,17 @@ spec:
       labels:
         app: code-home
     spec:
+      securityContext:
+        fsGroup: 101 
       containers:
         - name: code-home
-          image: grimbough/code.bioc-home:0.1.5
+          image: grimbough/code.bioc-home:0.2.0
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: "/var/shared"
               name: git-repo-shared-info
+            - mountPath: "/var/log/nginx"
+              name: nginx-logs
           ports:
             - name: http
               containerPort: 8080
@@ -251,7 +255,8 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-            runAsUser: 100 #lighttpd uid
+            runAsUser: 101
+            runAsGroup: 101
             allowPrivilegeEscalation: false
             capabilities:
               drop: 
@@ -261,3 +266,6 @@ spec:
           persistentVolumeClaim:
             claimName:  bioc-code-tools-shared-info-pvc
             readOnly: true
+        - name: nginx-logs
+          persistentVolumeClaim:
+            claimName:  nginx-logs