147 lines
4.3 KiB
Docker
147 lines
4.3 KiB
Docker
# Stage 1: Build
|
|
FROM node:20-alpine AS builder
|
|
|
|
# Métadonnées
|
|
LABEL maintainer="Yt2Jellyfin"
|
|
LABEL description="Frontend React pour Yt2Jellyfin"
|
|
|
|
# Définir le répertoire de travail
|
|
WORKDIR /app
|
|
|
|
# Copier les fichiers de dépendances
|
|
COPY package*.json ./
|
|
|
|
# Installer les dépendances (avec cache npm)
|
|
RUN npm ci --only=production
|
|
|
|
# Copier le code source
|
|
COPY . .
|
|
|
|
# Build de l'application
|
|
RUN npm run build
|
|
|
|
# Stage 2: Production avec Nginx
|
|
FROM nginx:1.25-alpine AS production
|
|
|
|
# Installer des outils de sécurité et nettoyer
|
|
RUN apk add --no-cache \
|
|
ca-certificates \
|
|
tzdata \
|
|
&& rm -rf /var/cache/apk/*
|
|
|
|
# Créer un utilisateur non-root
|
|
RUN addgroup -g 1001 -S nginx-app && \
|
|
adduser -S -D -H -u 1001 -h /var/cache/nginx -s /sbin/nologin -G nginx-app -g nginx-app nginx-app
|
|
|
|
# Copier les fichiers buildés depuis le stage builder
|
|
COPY --from=builder --chown=nginx-app:nginx-app /app/dist /usr/share/nginx/html
|
|
|
|
# Configuration Nginx sécurisée
|
|
COPY --chown=nginx-app:nginx-app <<EOF /etc/nginx/nginx.conf
|
|
user nginx-app;
|
|
worker_processes auto;
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
|
|
'\$status \$body_bytes_sent "\$http_referer" '
|
|
'"\$http_user_agent" "\$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
client_max_body_size 10M;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Désactiver les tokens de version Nginx
|
|
server_tokens off;
|
|
|
|
# Logs
|
|
access_log /var/log/nginx/access.log main;
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
# Gestion des assets statiques avec cache
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# SPA routing - toutes les routes vers index.html
|
|
location / {
|
|
try_files \$uri \$uri/ /index.html;
|
|
add_header Cache-Control "no-cache";
|
|
}
|
|
|
|
# Proxy vers le backend (optionnel, si sur même réseau)
|
|
location /api {
|
|
proxy_pass http://backend:3000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
proxy_cache_bypass \$http_upgrade;
|
|
proxy_connect_timeout 30s;
|
|
proxy_send_timeout 30s;
|
|
proxy_read_timeout 30s;
|
|
}
|
|
|
|
# Bloquer l'accès aux fichiers sensibles
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Créer les dossiers nécessaires avec bonnes permissions
|
|
RUN mkdir -p /var/cache/nginx /var/log/nginx /var/run && \
|
|
chown -R nginx-app:nginx-app /var/cache/nginx /var/log/nginx /var/run /usr/share/nginx/html && \
|
|
chmod -R 755 /usr/share/nginx/html
|
|
|
|
# Exposer le port
|
|
EXPOSE 80
|
|
|
|
# Healthcheck
|
|
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
|
CMD wget --quiet --tries=1 --spider http://localhost/ || exit 1
|
|
|
|
# Passer à l'utilisateur non-root
|
|
USER nginx-app
|
|
|
|
# Démarrer Nginx
|
|
CMD ["nginx", "-g", "daemon off;"] |