Skip to content

Change Dockerfile to run Chproxy under non-root user #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dmeremyanin wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Change Dockerfile to run Chproxy under non-root user #545

dmeremyanin wants to merge 1 commit into from

Conversation

@dmeremyanin
Copy link

@dmeremyanin dmeremyanin commented Jun 6, 2025

Description

Changes:

  1. Security improvement: the application now runs as a non-root user inside the container, following best practices for containerized environments. This helps reduce the potential impact of security vulnerabilities.
  2. Image size optimization: switched the base image to debian:12-slim, reducing the overall image size from 291MB to 219MB.

For more information, refer to the following resources:

Fixes #515

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • Feature
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe):

Checklist

  • Linter passes correctly
  • Add tests which fail without the change (if possible)
  • All tests passing
  • Extended the README / documentation, if necessary

Does this introduce a breaking change?

  • Yes
  • No

dmeremyanin
dmeremyanin commented Jun 6, 2025
View reviewed changes
Dockerfile

EXPOSE 9090

USER $USER
Copy link
Author

@dmeremyanin dmeremyanin Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the following features are used:

  1. Autocert cache
  2. File-based caching

Then the corresponding directories must be writable by UID 1000. This change may be considered breaking, as it requires explicit directory permissions when these features are enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Need to run image with non-root user

1 participant

@dmeremyanin