ECN>> single-page-application-server>> 返回
项目作者: codecentric

项目描述 :
A base image for single page applications.
高级语言: Java
项目地址: git://github.com/codecentric/single-page-application-server.git
创建时间: 2020-12-04T11:07:23Z
项目社区:https://github.com/codecentric/single-page-application-server
开源协议:MIT License
下载


Single Page Application Server

Update Docker Images

This container image provides a base for serving Single Page Applications (SPAs) using Nginx as its web server.

For deploying applications using this image, a corresponding Helm chart is available at Docker Hub, too.

Tags

The following tags are updated automatically on a weekly basis with the latest Nginx base image:

  • latest (alias for 1-nginx-stable-alpine)
  • 1 (alias for 1-nginx-stable-alpine)
  • latest-nginx-stable-alpine (alias for 1-nginx-stable-alpine)
  • 1-nginx-stable-alpine
  • latest-nginx-mainline-alpine (alias for 1-nginx-mainline-alpine)
  • 1-nginx-mainline-alpine

Additional tags for specific Nginx versions are also available.

Examples

Examples for usage with Angular and React are located in the examples directory.

General Features

  • SPA Routes Handling: Routes not matching static files will serve index.html, with exceptions for resources like .js, .css, etc.
  • Dynamic Configuration: Configure your SPA at container startup. The configuration is accessible via window.spaConfig.
  • Environment-Specific Config: Customize settings based on port and domain.
  • Resource Caching: Hashed resources are cached indefinitely. Resources must include a hash of at least 8 characters.
  • HTTP/2: Enabled by default for HTTPS connections.
  • Helm Chart: A general Helm chart is available for applications using this image.

Security Features

  • Content Security Policy: Restrictive by default, with automatic whitelisting for server API endpoints.
  • Referrer Policy: Disabled by default to prevent leakage.
  • Content Type Sniffing: Disabled by default.
  • HTTPS: Enforced via HSTS if enabled; uses recommended OWASP protocols and cipher suites.
  • Non-Root User: The container runs as a non-root user but can bind to ports 80 and 443.
  • Source Maps: Disabled by default.
  • Read-only Root Filesystem: Supported at container runtime
  • Supply Chain Verification: All images are signed using cosign. See this section for details.

Configuration

App Directory

Place your SPA resources in /app/. All files in this directory will be served by Nginx.

YAML Configuration

Configure the application through YAML files at startup:

  1. Default Configuration: Add a default configuration file to /config/default.yaml. Usually added during docker build.
  2. Runtime Configuration: Mount a runtime configuration file at /config/config.yaml. This file will override default settings.

Example Configuration

  1. default:
  2.   spa_config:
  3.     appTitle: "My Application"
  4.     endpoints:
  5.       api: "https://api.example.com"

You can also define host-specific configurations:

  1. default:
  2.   spa_config:
  3.     appTitle: "My Default Title"
  4.     endpoints:
  5.       api: "https://api.example.com"
  6. special_host:
  7.   server_names:
  8.     - "special.example.com"
  9.   spa_config:
  10.     appTitle: "My Domain-specific Title"

Configuration Reference

The following configuration shows the default values of this base image for every available setting:

  1. default:
  2.   # Specifies to which host names this configuration should apply.
  3.   server_names:
  4.     # "_" matches any hostname
  5.     - "_"
  6.   # The href attribute for the base element in the index.html
  7.   base_href: "/"
  8.   # All options in this map will be available inside the SPA via `window.spaConfig`.
  9.   # To enable this feature, you also need to include spa_config.js in your index.html.
  10.   # An existing spa_config.js will be overridden at container startup.
  11.   spa_config:
  12.     # A map of endpoints to which the SPA will communicate.
  13.     # These endpoints will automatically be whitelisted in the connect-src CSP directive if .hardening.whitelist_connect_sources is enabled.
  14.     endpoints: {}
  15.   access_log:
  16.     # Enables access logging
  17.     enabled: false
  18.   source_maps:
  19.     # Enables source maps
  20.     enabled: false
  21.     # Configures the regex that is used to identify source map resources
  22.     regex: "\\.(js|css)\\.map$"
  23.   http:
  24.     enabled: true
  25.     port: 80
  26.     # Enables redirect to HTTPS if HTTPS is enabled.
  27.     https_redirect: true
  28.     # Use different https_redirect_port if application is behind a NAT.
  29.     # 0 = use https.port
  30.     https_redirect_port: 0
  31.     # HTTP 2 over plain text is disabled by default as Nginx supports HTTP 2 over plain text only via prior knowledge.
  32.     # Enabling HTTP 2 for plain text connections will prevent clients to connect without prior knowledge.
  33.     # https://trac.nginx.org/nginx/ticket/816
  34.     http2_enabled: false
  35.   https:
  36.     enabled: false
  37.     port: 443
  38.     # Enforces HTTPS permanently
  39.     hsts_enabled: true
  40.     ssl_certificate: /etc/ssl/default.crt
  41.     ssl_certificate_key: /etc/ssl/default.key
  42.     # Configures supported TLS protocols and cipher suites with recommended value
  43.     # https://github.com/OWASP/CheatSheetSeries/blob/1e07c6c894f98af58d8a417eb8df1b20e1b3337e/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md
  44.     owasp_cipher_string: A
  45.     http2_enabled: true
  46.   keepalive:
  47.     server:
  48.       # Sets a timeout in seconds during which a keep-alive client connection will stay open on the server side.
  49.       timeout_seconds: 75
  50.   hardening:
  51.     # Disables referrer to prevent information leakage
  52.     referrer_policy: "no-referrer"
  53.     # Prevents browsers from guessing the content type
  54.     x_content_type_options: "nosniff"
  55.     # Will whitelist the endpoints listed in .spa_config.endpoints automatically in the connect-srv CSP directive if enabled.
  56.     whitelist_spa_config_endpoints_as_connect_sources: true
  57.     # Map of CSP directives, which will be added to all HTTP responses for HTML and JavaScript documents
  58.     content_security_policy:
  59.       base-uri: "'self'"
  60.       block-all-mixed-content: true
  61.       default-src: "'self'"
  62.       form-action: "'self'"
  63.       frame-ancestors: "'self'"
  64.       frame-src: "'self'"
  65.       object-src: "'none'"
  66.       script-src: "'self'"
  67.       style-src: "'self'"

Read-only Root Filesystem Support

For security, use a read-only root filesystem. Ensure the following directories are writable:

  • /config/.out: Used for file generation.
  • /tmp: Used by Nginx for cached files and nginx.pid.

When using Kubernetes, consider mounting these directories as writable volumes with emptyDir.

Supply Chain Verification

Use cosign to verify the base image of your Dockerfile when a codecentric/single-page-application-server base image was used.

  1. cosign dockerfile verify Dockerfile \
  2.   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  3.   --certificate-identity-regexp '^https\:\/\/github\.com\/codecentric\/single\-page\-application\-server\/' \
  4.   --base-image-only

You can try this by checking out this repository and executing this command in the examples/angular directory.

Development

License

MIT