unprivilidged user, port 8080, docs

diff --git a/Dockerfile b/Dockerfile
index 848048d5ba8dfadcbd81f954cdd3812b888b475a..e88b532b52c3e8012314c660a2ae203acf772c8e 100644 (file)
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM php:7.3-fpm-alpine
 MAINTAINER "Jérôme Jutteau <mojo@jirafeau.net>"
 FROM php:7.3-fpm-alpine
 MAINTAINER "Jérôme Jutteau <mojo@jirafeau.net>"

-ARG USER_UID=0
+ARG USER_UID=2009

 
 # install base
 RUN apk update && \
 
 # install base
 RUN apk update && \

diff --git a/docker/README.md b/docker/README.md
index 5dc4c2c0495c45bb4bab1b72e17f8a2773d0b6db..432c351a9af5cc0d0c241de095fc14c839cf5634 100644 (file)
--- a/docker/README.md
+++ b/docker/README.md
@@ -20,17 +20,26 @@ docker build -t mojo42/jirafeau:latest .
 
 Once you have your Jirafeau's image, you can run a quick & dirty Jirafeau using:
 ```
 
 Once you have your Jirafeau's image, you can run a quick & dirty Jirafeau using:
 ```

-docker run -d -p 8000:80 mojo42/jirafeau
+docker run -d -p 8080:8080 mojo42/jirafeau

 ```
 ```

-and then connect on [locahost:8000](http://localhost:8000) and proceed to installation.
+and then connect on [locahost:8080](http://localhost:8080) and proceed to installation.

 
 An other way to run Jirafeau (in a more controlled way) is to mount your Jirafeau's reprository in /www folder so your data are outside the container. This way, you will be able to easily make backups, upgrade Jirafeau, change configuration and develop Jirafeau.
 ```
 
 An other way to run Jirafeau (in a more controlled way) is to mount your Jirafeau's reprository in /www folder so your data are outside the container. This way, you will be able to easily make backups, upgrade Jirafeau, change configuration and develop Jirafeau.
 ```

-docker run -d -p 8000:80 -v$(pwd):/www mojo42/jirafeau
+docker run -d -p 8080:8080 -v$(pwd):/www mojo42/jirafeau

 ```
 
 There are also other ways to manage your container (like docker's volumes) but this is out of the scope of this documentation.
 
 ```
 
 There are also other ways to manage your container (like docker's volumes) but this is out of the scope of this documentation.
 

+## Security
+
+Jirafeau is run without privilidges with user id 2009. To make it able to open privilidged ports you can pass the capability, just stay with 8080 and use a reverse proxy or map the port 80:8080.
+```
+docker run -d -p 80:80 --sysctl net.ipv4.ip_unprivileged_port_start=80 mojo42/jirafeau
+docker run -d -p 8080:8080 mojo42/jirafeau
+docker run -d -p 80:8080 mojo42/jirafeau
+```
+

 ## Few notes
 
 - SSL is currently not enabled in docker's image for the moment
 ## Few notes
 
 - SSL is currently not enabled in docker's image for the moment

diff --git a/docker/lighttpd.conf b/docker/lighttpd.conf
index 0e4bb5d0a6b34e5cd996c1813b12493fcf4120d9..b7032d98322b3cafe4b95801c2dd90cceea2d0e6 100644 (file)
--- a/docker/lighttpd.conf
+++ b/docker/lighttpd.conf
@@ -2,6 +2,7 @@ var.basedir  = "/www"
 var.logdir   = "/var/log/lighttpd"
 var.statedir = "/var/lib/lighttpd"
 
 var.logdir   = "/var/log/lighttpd"
 var.statedir = "/var/lib/lighttpd"
 

+server.port = 8080

 server.modules = (
     "mod_access",
     "mod_usertrack",
 server.modules = (
     "mod_access",
     "mod_usertrack",


@@ -12,8 +13,8 @@ server.modules = (
 include "mime-types.conf"
 include "mod_fastcgi_fpm.conf"
 
 include "mime-types.conf"
 include "mod_fastcgi_fpm.conf"
 

-server.username      = "lighttpd"
-server.groupname     = "lighttpd"
+#server.username      = "lighttpd"
+#server.groupname     = "lighttpd"

 
 server.pid-file      = "/run/lighttpd.pid"
 server.errorlog      = var.logdir  + "/error.log"
 
 server.pid-file      = "/run/lighttpd.pid"
 server.errorlog      = var.logdir  + "/error.log"