build: update nginx conf & set custom nginx user permission

Signed-off-by: samuel.park <[email protected]>

apps/web/Dockerfile

@@ -30,21 +30,31 @@ ENV ROOT_PATH /var/www
 ENV LOG_PATH /var/log/cloudforet
 ENV NGINX_CONF_PATH /etc/nginx/conf.d
 
-RUN mkdir -p ${LOG_PATH}/nginx
+# create non-root (nginx) user
+RUN addgroup -S nginx && adduser -S nginx -G nginx
+
+RUN mkdir -p ${LOG_PATH}/nginx /var/cache/nginx && \
+    chown -R nginx:nginx ${LOG_PATH}/nginx /var/cache/nginx
 
 RUN rm /etc/nginx/conf.d/default.conf
 COPY apps/web/pkg/proxy.conf ${NGINX_CONF_PATH}/proxy.conf
 
 # forward request and error logs to docker log collector
-RUN ln -sf /dev/stdout /var/log/nginx/spaceone-access.log \
-    && ln -sf /dev/stderr /var/log/nginx/spaceone-error.log
+RUN ln -sf /dev/stdout ${LOG_PATH}/nginx/spaceone-access.log \
+    && ln -sf /dev/stderr ${LOG_PATH}/nginx/spaceone-error.log
 
 COPY --from=installer /app/apps/web/dist/. ${ROOT_PATH}/
 
 # Enable only for turbo debugging purposes
 #RUN mkdir -p ${LOG_PATH}/turbo
 #COPY --from=installer /app/.turbo/runs/. ${LOG_PATH}/turbo
 
+# Change ownership of application files and settings
+RUN chown -R nginx:nginx ${ROOT_PATH} ${NGINX_CONF_PATH}
+
+# Change to non-root user
+USER nginx
+
 EXPOSE ${PORT}
 
 ENTRYPOINT ["nginx", "-g", "daemon off;"]

apps/web/pkg/proxy.conf

@@ -4,8 +4,8 @@ server {
     root /var/www/;
     index index.html;
 
-    access_log /var/log/nginx/spaceone-access.log main;
-    error_log  /var/log/nginx/spaceone-error.log warn;
+    access_log /var/log/cloudforet/nginx/spaceone-access.log main;
+    error_log  /var/log/cloudforet/nginx/spaceone-error.log warn;
 
     # Force all paths to load either itself (js files) or go through index.html.