Skip to content

Commit 754423c

Browse files
jk464cognifloyd
jk464
and
cognifloyd
committed
Allow st2web to run as non-root w/o privileges
Co-authored-by: Jacob Floyd <cognifloyd@gmail.com>
1 parent cebea8d commit 754423c

4 files changed

Lines changed: 88 additions & 42 deletions

File tree

st2web/Dockerfile

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ ENV ST2WEB_HTTPS 0
2323
ENV ST2_AUTH_URL http://st2auth:9100/
2424
ENV ST2_API_URL http://st2api:9101/
2525
ENV ST2_STREAM_URL http://st2stream:9102/
26+
ENV ST2_CA_CERT /etc/ssl/internal/ca.crt
27+
ENV ST2_PORT_HTTP 80
28+
ENV ST2_PORT_HTTPS 443
2629

2730
# Generate UTF-8 locale
2831
RUN apt-get -qq update \
@@ -78,5 +81,8 @@ VOLUME ["/etc/ssl/st2/"]
7881

7982
EXPOSE 80
8083
EXPOSE 443
84+
EXPOSE 8080
85+
EXPOSE 8443
8186
STOPSIGNAL SIGTERM
82-
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
87+
RUN touch /var/run/nginx.pid && chown nginx:nginx /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid
88+
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL} ${ST2_CERT_CA} ${ST2_PORT_HTTP} ${ST2_PORT_HTTPS}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]

st2web/README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,19 @@ The following environment variables are available for configuration:
1111
- `ST2_API_URL` (default: `http://st2api:9101/`) - StackStorm API service
1212
- `ST2_STREAM_URL` (default: `http://st2stream:9102/`) - StackStorm Stream service
1313
- `ST2WEB_HTTPS` (default: `0`) - Use https with st2web
14+
- `ST2_PORT_HTTP` (default: `80`) - Port to listen for HTTP traffic
15+
- `ST2_PORT_HTTPS` (default: `443`) - Port to listen for HTTPS traffic
1416

1517
> Warning! All 3 services should be DNS/network accessible for `st2web` container to start properly. Thanks to K8s pod restarts, it's not a problem.
1618
19+
### Running as Non-Root
20+
21+
To run the `st2web` as non-root, pass the following config options:
22+
23+
* `ST2_PORT_HTTP` - should be set as `8080`
24+
* `ST2_PORT_HTTPS` - should be set as `8443`
25+
* Run the container as `uid`/`gid` - `999:999`
26+
1727
### Secrets
1828
> Note! You may safely ignore this section if `ST2WEB_HTTPS` is set to `0`.
1929

st2web/files/st2.conf-http.patch

Lines changed: 26 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,24 @@
1-
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
2-
+++ st2.http.conf 2021-06-18 19:50:00.098280995 +0100
3-
@@ -8,44 +8,18 @@
4-
1+
--- st2.conf 2023-09-01 16:31:41.000000000 +0100
2+
+++ st2.http.conf 2023-09-01 16:33:45.000000000 +0100
3+
@@ -7,45 +7,19 @@
4+
# see https://docs.stackstorm.com/install.html for details
5+
56
server {
6-
listen *:80 default_server;
7+
- listen *:80 default_server;
8+
+ listen *:${ST2_PORT_HTTP} default_server;
79
+ server_tokens off;
8-
10+
911
- add_header Front-End-Https on;
1012
add_header X-Content-Type-Options nosniff;
11-
13+
1214
- if ($ssl_protocol = "") {
1315
- return 308 https://$host$request_uri;
1416
- }
15-
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
16-
return 405;
17-
}
18-
index index.html;
19-
17+
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
18+
- return 405;
19+
- }
20+
- index index.html;
21+
-
2022
- access_log /var/log/nginx/st2webui.access.log combined;
2123
- error_log /var/log/nginx/st2webui.error.log;
2224
-}
@@ -25,9 +27,9 @@
2527
- listen *:443 ssl;
2628
- server_tokens off;
2729
-
28-
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
29-
- return 405;
30-
- }
30+
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
31+
return 405;
32+
}
3133
-
3234
- ssl_certificate /etc/ssl/st2/st2.crt;
3335
- ssl_certificate_key /etc/ssl/st2/st2.key;
@@ -37,39 +39,39 @@
3739
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
3840
- ssl_prefer_server_ciphers on;
3941
-
40-
- index index.html;
41-
-
42+
index index.html;
43+
4244
- access_log /var/log/nginx/ssl-st2webui.access.log combined;
4345
- error_log /var/log/nginx/ssl-st2webui.error.log;
4446
+ access_log /proc/self/fd/1 combined;
4547
+ error_log stderr;
46-
48+
4749
- add_header Front-End-Https on;
4850
add_header X-Content-Type-Options nosniff;
4951
add_header X-Frame-Options DENY always;
5052
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
5153
@@ -61,7 +35,7 @@
52-
54+
5355
rewrite ^/api/(.*) /$1 break;
54-
56+
5557
- proxy_pass http://127.0.0.1:9101/;
5658
+ proxy_pass ${ST2_API_URL};
5759
proxy_read_timeout 90;
5860
proxy_connect_timeout 90;
5961
proxy_redirect off;
6062
@@ -99,7 +73,7 @@
61-
63+
6264
rewrite ^/stream/(.*) /$1 break;
63-
65+
6466
- proxy_pass http://127.0.0.1:9102/;
6567
+ proxy_pass ${ST2_STREAM_URL};
6668
proxy_set_header Host $host;
6769
proxy_set_header X-Real-IP $remote_addr;
6870
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6971
@@ -138,7 +112,7 @@
70-
72+
7173
rewrite ^/auth/(.*) /$1 break;
72-
74+
7375
- proxy_pass http://127.0.0.1:9100/;
7476
+ proxy_pass ${ST2_AUTH_URL};
7577
proxy_read_timeout 90;

st2web/files/st2.conf-https.patch

Lines changed: 45 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,51 +1,79 @@
1-
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
2-
+++ st2.https.conf 2021-06-18 19:45:50.884196198 +0100
3-
@@ -20,8 +20,8 @@
1+
--- st2.conf 2023-09-18 15:03:31.000000000 +0100
2+
+++ st2.https.conf 2023-09-18 15:12:35.000000000 +0100
3+
@@ -7,7 +7,7 @@
4+
# see https://docs.stackstorm.com/install.html for details
5+
6+
server {
7+
- listen *:80 default_server;
8+
+ listen *:${ST2_PORT_HTTP} default_server;
9+
10+
add_header Front-End-Https on;
11+
add_header X-Content-Type-Options nosniff;
12+
@@ -20,12 +20,12 @@
413
}
514
index index.html;
6-
15+
716
- access_log /var/log/nginx/st2webui.access.log combined;
817
- error_log /var/log/nginx/st2webui.error.log;
918
+ access_log /proc/self/fd/1 combined;
1019
+ error_log stderr;
1120
}
12-
21+
1322
server {
23+
- listen *:443 ssl;
24+
+ listen *:${ST2_PORT_HTTPS} ssl;
25+
server_tokens off;
26+
27+
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
1428
@@ -42,8 +42,8 @@
15-
29+
1630
index index.html;
17-
31+
1832
- access_log /var/log/nginx/ssl-st2webui.access.log combined;
1933
- error_log /var/log/nginx/ssl-st2webui.error.log;
2034
+ access_log /proc/self/fd/1 combined;
2135
+ error_log stderr;
22-
36+
2337
add_header Front-End-Https on;
2438
add_header X-Content-Type-Options nosniff;
25-
@@ -61,7 +61,7 @@
26-
39+
@@ -61,10 +61,11 @@
40+
2741
rewrite ^/api/(.*) /$1 break;
28-
42+
2943
- proxy_pass http://127.0.0.1:9101/;
3044
+ proxy_pass ${ST2_API_URL};
3145
proxy_read_timeout 90;
3246
proxy_connect_timeout 90;
3347
proxy_redirect off;
34-
@@ -99,7 +99,7 @@
35-
48+
+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};
49+
50+
proxy_set_header Host $host;
51+
proxy_set_header X-Real-IP $remote_addr;
52+
@@ -99,12 +100,13 @@
53+
3654
rewrite ^/stream/(.*) /$1 break;
37-
55+
3856
- proxy_pass http://127.0.0.1:9102/;
3957
+ proxy_pass ${ST2_STREAM_URL};
4058
proxy_set_header Host $host;
4159
proxy_set_header X-Real-IP $remote_addr;
4260
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43-
@@ -138,7 +138,7 @@
44-
61+
proxy_read_timeout 200;
62+
proxy_connect_timeout 200;
63+
+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};
64+
65+
sendfile on;
66+
tcp_nopush on;
67+
@@ -138,10 +140,11 @@
68+
4569
rewrite ^/auth/(.*) /$1 break;
46-
70+
4771
- proxy_pass http://127.0.0.1:9100/;
4872
+ proxy_pass ${ST2_AUTH_URL};
4973
proxy_read_timeout 90;
5074
proxy_connect_timeout 90;
5175
proxy_redirect off;
76+
+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};
77+
78+
proxy_set_header Host $host;
79+
proxy_set_header X-Real-IP $remote_addr;

0 commit comments

Comments
 (0)