security: making the env.sh public available is not so great

[RobertHeim]

In the final stage of the Dockerfile it says

WORKDIR /usr/share/nginx/html
COPY ./env.sh .
COPY .env .
RUN chmod +x env.sh

and in the nginx.conf that folder is used as root:

    root   /usr/share/nginx/html;

I think the sh script should not be part of the folder that nginx serves to the world.

[kunokdev]

Do you have exact plan how to place it properly?

Please note that all those values within that file are exposed to the client anyway and you should only store public frontend values in there.

Also at the end of the blog I mentioned additional layer, to add prefixes logic for env vars that you only want to use. I am happy to accept new branch with such implementation or a PR that improves above mentioned security improvement.

[RobertHeim]

While the information of that file is not sensitive, it is still not meant to be public. It is a script and should not be available via http.

Just copy the script anywhere outside the folder used by nginx as root, e.g.

WORKDIR /env-config
COPY ./env.sh .
RUN chmod +x env.sh

Next, update the path where the script is called:

# Start Nginx server
CMD ["/bin/sh", "-c", "/env-config/env.sh && nginx -g \"daemon off;\""]

Then update the output path in the script itself:

echo "..." >> /usr/share/nginx/html/env-config.js

In the end you want env-config.js to be available via http, but not env.sh.