Run as user dropping privileges

rootfs/Dockerfile

@@ -20,7 +20,8 @@ WORKDIR  /etc/nginx
 
 RUN clean-install \
   diffutils \
-  dumb-init
+  dumb-init \
+  libcap2-bin 
 
 # Create symlinks to redirect nginx logs to stdout and stderr docker log collector
 # This only works if nginx is started with CMD or ENTRYPOINT
@@ -30,6 +31,14 @@ RUN mkdir -p /var/log/nginx \
 
 COPY . /
 
+RUN setcap cap_net_bind_service=+ep /usr/sbin/nginx \
+  && setcap cap_net_bind_service=+ep /nginx-ingress-controller
+
+RUN mkdir -p /etc/ingress-controller/ssl /etc/ingress-controller/auth \
+  && chown -R www-data.www-data /etc/nginx /etc/ingress-controller
+
+USER www-data
+
 ENTRYPOINT ["/usr/bin/dumb-init"]
 
 CMD ["/nginx-ingress-controller"]

rootfs/etc/nginx/nginx.conf

@@ -1,5 +1,5 @@
 # A very simple nginx configuration file that forces nginx to start.
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 
 events {}
 http {}

rootfs/etc/nginx/template/nginx.tmpl

@@ -7,6 +7,9 @@
 {{ $proxyHeaders := .ProxySetHeaders }}
 {{ $addHeaders := .AddHeaders }}
 
+# setup custom paths that do not require root access
+pid /tmp/nginx.pid;
+
 {{ if $cfg.EnableModsecurity }}
 load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
 {{ end }}
@@ -20,7 +23,6 @@ worker_processes {{ $cfg.WorkerProcesses }};
 worker_cpu_affinity {{ $cfg.WorkerCpuAffinity }};
 {{ end }}
 
-pid /run/nginx.pid;
 {{ if ne .MaxOpenFiles 0 }}
 worker_rlimit_nofile {{ .MaxOpenFiles }};
 {{ end }}
@@ -115,6 +117,10 @@ http {
     keepalive_timeout  {{ $cfg.KeepAlive }}s;
     keepalive_requests {{ $cfg.KeepAliveRequests }};
 
+    client_body_temp_path           /tmp/client-body;
+    fastcgi_temp_path               /tmp/fastcgi-temp;
+    proxy_temp_path                 /tmp/proxy-temp;
+
     client_header_buffer_size       {{ $cfg.ClientHeaderBufferSize }};
     client_header_timeout           {{ $cfg.ClientHeaderTimeout }}s;
     large_client_header_buffers     {{ $cfg.LargeClientHeaderBuffers }};