Running with non-root access with the nginx user

[archletekke]

If anyone else is wondering how to use this image for in a non-root context then what worked for me in the Dockerfile:

...

# chown all modsecurity and nginx config files to the nginx user
RUN chown -R nginx:nginx /etc/nginx/
RUN chown -R nginx:nginx /opt/modsecurity/
RUN chown -R nginx:nginx /etc/modsecurity.d/
RUN chown -R nginx:nginx /opt/owasp-crs/
RUN chown -R nginx:nginx /usr/local/

USER nginx
...

[archletekke]

Maybe it is possible to set up the base images so that all of the required directories are owned by nginx already?

[fzipi]

Hi @archletekke ! Let me take a look at this one.

[fzipi]

I don't think you need to change the whole /usr/local directory to nginx... 🤔

[fzipi]

@archletekke Can you try to following the documentation from upstream, the part that says "Running nginx as a non-root user", and let us know?

[archletekke]

I guess that could work as well. My proposal was that the security-focused docker image could be non-root by default. Meaning that the crs docker image has the non-root config defined in its own dockerfile.

[fzipi]

There might be another option: we could use https://hub.docker.com/r/nginxinc/nginx-unprivileged from upstream instead. Will check if this works out of the box for us.