Kyle Pope
dbad9c69b3
- Add .dockerignore for backend and frontend (DC-1: eliminates node_modules/ and .env from build context) - Delete start.sh with --reload flag (DC-2: superseded by Dockerfile CMD) - Create entrypoint.sh with exec uvicorn (DW-5: proper PID 1 signal handling) - Pin base images to patch-level tags (DW-1: reproducible builds) - Reorder Dockerfile: create appuser before COPY, use --chown (DW-2) - Switch to npm ci for lockfile-enforced installs (DW-3) - Add network segmentation: backend_net + frontend_net (DW-4: db unreachable from frontend container) - Add deploy.resources limits to all services (DW-6: OOM protection) - Refactor proxy-params.conf to include security headers, deduplicate from nginx.conf location blocks (DW-7) - Add image/svg+xml to gzip_types (DS-1) - Add wget healthcheck for frontend service (DS-2) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
33 lines
668 B
Docker
33 lines
668 B
Docker
# Build stage
|
|
FROM node:20.18-alpine AS build
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy package files
|
|
COPY package*.json ./
|
|
|
|
# Install dependencies from lockfile (DW-3)
|
|
RUN npm ci
|
|
|
|
# Copy source files
|
|
COPY . .
|
|
|
|
# Build the application
|
|
RUN npm run build
|
|
|
|
# Production stage — unprivileged nginx (runs as non-root, listens on 8080)
|
|
FROM nginxinc/nginx-unprivileged:1.27-alpine
|
|
|
|
# Copy built files from build stage
|
|
COPY --from=build /app/dist /usr/share/nginx/html
|
|
|
|
# Copy nginx configuration
|
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
|
COPY proxy-params.conf /etc/nginx/proxy-params.conf
|
|
|
|
# Expose port 8080 (unprivileged)
|
|
EXPOSE 8080
|
|
|
|
# Start nginx
|
|
CMD ["nginx", "-g", "daemon off;"]
|