dockerfile: Add note about server_tokens

open-contracting · Aug 22, 2023 · adc867f · adc867f
1 parent 168218e
commit adc867f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/cookiecutter-django/{{cookiecutter.project_slug}}/Dockerfile_static b/cookiecutter-django/{{cookiecutter.project_slug}}/Dockerfile_static
@@ -13,4 +13,5 @@ RUN python manage.py collectstatic --noinput -v2
 FROM nginxinc/nginx-unprivileged:latest as production-stage
 USER root
 COPY --from=build-stage --chown=nginx:root /workdir/static /usr/share/nginx/html/static
+COPY --chown=nginx:root default.conf /etc/nginx/conf.d/default.conf
 USER nginx
diff --git a/docs/docker/dockerfile.rst b/docs/docker/dockerfile.rst
@@ -59,17 +59,21 @@ For Node, use the default image, `as recommended <https://hub.docker.com/_/node/
 
 For a web server, use the `nginxinc/nginx-unprivileged:latest <https://hub.docker.com/r/nginxinc/nginx-unprivileged>`__ image. Note that the default port is changed to 8080 (instead of 80).
 
-For reference, the default ``/etc/nginx/conf.d/default.conf`` file in the Nginx image is:
+Set ``server_tokens off;`` to prevent false positives from penetration tests (Ubuntu backports security patches, without changing version numbers).
 
-.. literalinclude:: samples/default.conf
-   :language: nginx
+.. note::
+
+   For reference, the default ``/etc/nginx/conf.d/default.conf`` file in the Nginx image is:
+
+   .. literalinclude:: samples/default.conf
+      :language: nginx
 
-..
-   To update the samples/default.conf file:
+   ..
+      To update the samples/default.conf file:
 
-   docker pull nginxinc/nginx-unprivileged
-   docker run -it --entrypoint sh nginxinc/nginx-unprivileged
-   $ cat /etc/nginx/conf.d/default.conf
+      docker pull nginxinc/nginx-unprivileged
+      docker run -it --entrypoint sh nginxinc/nginx-unprivileged
+      $ cat /etc/nginx/conf.d/default.conf
 
 .. seealso::