corenthin/Yt2Jelly
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Yt2Jelly/Dockerfile
corenthin d5f918cfab Actualiser Dockerfile
2026-02-25 23:43:53 +01:00

147 lines
4.3 KiB
Docker
Raw Permalink Blame History

# Stage 1: Build
FROM node:20-alpine AS builder
# Métadonnées
LABEL maintainer="Yt2Jellyfin"
LABEL description="Frontend React pour Yt2Jellyfin"
# Définir le répertoire de travail
WORKDIR /app
# Copier les fichiers de dépendances
COPY package*.json ./
# Installer les dépendances (avec cache npm)
RUN npm ci --only=production
# Copier le code source
COPY . .
# Build de l'application
RUN npm run build
# Stage 2: Production avec Nginx
FROM nginx:1.25-alpine AS production
# Installer des outils de sécurité et nettoyer
RUN apk add --no-cache \
ca-certificates \
tzdata \
&& rm -rf /var/cache/apk/*
# Créer un utilisateur non-root
RUN addgroup -g 1001 -S nginx-app && \
adduser -S -D -H -u 1001 -h /var/cache/nginx -s /sbin/nologin -G nginx-app -g nginx-app nginx-app
# Copier les fichiers buildés depuis le stage builder
COPY --from=builder --chown=nginx-app:nginx-app /app/dist /usr/share/nginx/html
# Configuration Nginx sécurisée
COPY --chown=nginx-app:nginx-app <<EOF /etc/nginx/nginx.conf
user nginx-app;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 10M;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Désactiver les tokens de version Nginx
server_tokens off;
# Logs
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
# Gestion des assets statiques avec cache
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# SPA routing - toutes les routes vers index.html
location / {
try_files \$uri \$uri/ /index.html;
add_header Cache-Control "no-cache";
}
# Proxy vers le backend (optionnel, si sur même réseau)
location /api {
proxy_pass http://backend:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_cache_bypass \$http_upgrade;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# Bloquer l'accès aux fichiers sensibles
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
}
}
EOF
# Créer les dossiers nécessaires avec bonnes permissions
RUN mkdir -p /var/cache/nginx /var/log/nginx /var/run && \
chown -R nginx-app:nginx-app /var/cache/nginx /var/log/nginx /var/run /usr/share/nginx/html && \
chmod -R 755 /usr/share/nginx/html
# Exposer le port
EXPOSE 80
# Healthcheck
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget --quiet --tries=1 --spider http://localhost/ || exit 1
# Passer à l'utilisateur non-root
USER nginx-app
# Démarrer Nginx
CMD ["nginx", "-g", "daemon off;"]
Reference in New Issue View Git Blame Copy Permalink