From 4825916825f315fc23ddeaf4849c451ff36b6ce0 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Thu, 2 Jan 2025 13:49:39 +0000
Subject: [PATCH 1/5] Docker: allow configuration of HTTP listen port via env
 var

---
 Dockerfile                                             |  8 ++++++--
 .../nginx-templates/default.conf.template              |  4 ++--
 docs/install.md                                        | 10 ++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)
 rename nginx/conf.d/default.conf => docker/nginx-templates/default.conf.template (90%)

diff --git a/Dockerfile b/Dockerfile
index 908c05520cc..caa46b62acd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,8 +24,12 @@ FROM nginx:alpine-slim
 
 COPY --from=builder /src/webapp /app
 
-# Override default nginx config
-COPY /nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
+# Override default nginx config. Templates in `/etc/nginx/templates` are passed
+# through `envsubst` by the nginx docker image entry point.
+COPY /docker/nginx-templates/* /etc/nginx/templates/
 
 RUN rm -rf /usr/share/nginx/html \
   && ln -s /app /usr/share/nginx/html
+
+# HTTP listen port
+ENV ELEMENT_WEB_PORT=80
diff --git a/nginx/conf.d/default.conf b/docker/nginx-templates/default.conf.template
similarity index 90%
rename from nginx/conf.d/default.conf
rename to docker/nginx-templates/default.conf.template
index 0ae57903744..06f33e08dd2 100644
--- a/nginx/conf.d/default.conf
+++ b/docker/nginx-templates/default.conf.template
@@ -1,6 +1,6 @@
 server {
-    listen       80;
-    listen  [::]:80;
+    listen       ${ELEMENT_WEB_PORT};
+    listen  [::]:${ELEMENT_WEB_PORT};
     server_name  localhost;
 
     root   /usr/share/nginx/html;
diff --git a/docs/install.md b/docs/install.md
index 1c182cdd34c..d309eba300e 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -60,6 +60,16 @@ would be:
 docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
 ```
 
+The behaviour of the dockker image can be customised via the following
+environment variables:
+
+ * `ELEMENT_WEB_PORT`
+
+   The port to listen on (within the docker container) for HTTP
+   traffic. Defaults to `80`.
+
+### Building the docker image
+
 To build the image yourself:
 
 ```bash

From 098477efd25cfc3fe6f2844131583a5c44b0eac6 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Date: Thu, 2 Jan 2025 14:48:44 +0000
Subject: [PATCH 2/5] Update docs/install.md

Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
---
 docs/install.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/install.md b/docs/install.md
index d309eba300e..2ee6dc07875 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -60,7 +60,7 @@ would be:
 docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
 ```
 
-The behaviour of the dockker image can be customised via the following
+The behaviour of the docker image can be customised via the following
 environment variables:
 
  * `ELEMENT_WEB_PORT`

From 75a9fe213b7660ef94895c80ff621ba59ad7f85f Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Thu, 2 Jan 2025 14:58:21 +0000
Subject: [PATCH 3/5] prettier

---
 docs/install.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/install.md b/docs/install.md
index 2ee6dc07875..7830324ffc5 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -63,10 +63,10 @@ docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.j
 The behaviour of the docker image can be customised via the following
 environment variables:
 
- * `ELEMENT_WEB_PORT`
+- `ELEMENT_WEB_PORT`
 
-   The port to listen on (within the docker container) for HTTP
-   traffic. Defaults to `80`.
+    The port to listen on (within the docker container) for HTTP
+    traffic. Defaults to `80`.
 
 ### Building the docker image
 

From 076f93db6b961871dc23ba91236591f1166e5c5b Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Thu, 2 Jan 2025 16:58:05 +0000
Subject: [PATCH 4/5] Docker: run as non-root

---
 Dockerfile      | 16 +++++++++++++++-
 docs/install.md |  6 ++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index caa46b62acd..80316390c37 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Builder
-FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
+FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder
 
 # Support custom branch of the js-sdk. This also helps us build images of element-web develop.
 ARG USE_CUSTOM_SDKS=false
@@ -28,8 +28,22 @@ COPY --from=builder /src/webapp /app
 # through `envsubst` by the nginx docker image entry point.
 COPY /docker/nginx-templates/* /etc/nginx/templates/
 
+# Override main nginx config, to make it suitable for use with non-root user
+RUN sed -i \
+      -e '/user *nginx;/d' \
+      -e  's,/var/run/nginx.pid,/tmp/nginx.pid,' \
+      -e "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" \
+      /etc/nginx/nginx.conf
+
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
+RUN chmod -R g+w /var/cache/nginx /etc/nginx
+
 RUN rm -rf /usr/share/nginx/html \
   && ln -s /app /usr/share/nginx/html
 
+# Run as nginx user by default
+USER nginx
+
 # HTTP listen port
 ENV ELEMENT_WEB_PORT=80
diff --git a/docs/install.md b/docs/install.md
index 7830324ffc5..f6bd98611cb 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -60,6 +60,12 @@ would be:
 docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
 ```
 
+The Docker image is configured to run as an unprivileged (non-root) user by
+default. This should be fine on modern Docker runtimes, but binding to port 80
+on other runtimes may require root privileges. To resolve this, either run the
+image as root (`docker run --user 0`) or, better, change the port that nginx
+listens on via the `ELEMENT_WEB_PORT` environment variable.
+
 The behaviour of the docker image can be customised via the following
 environment variables:
 

From a56aea60b7bdb2959d46e1208d0a49b7345c3b21 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Fri, 3 Jan 2025 10:51:37 +0000
Subject: [PATCH 5/5] Simplify sed incantation

---
 Dockerfile | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 80316390c37..c50ffd48cff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,12 +28,8 @@ COPY --from=builder /src/webapp /app
 # through `envsubst` by the nginx docker image entry point.
 COPY /docker/nginx-templates/* /etc/nginx/templates/
 
-# Override main nginx config, to make it suitable for use with non-root user
-RUN sed -i \
-      -e '/user *nginx;/d' \
-      -e  's,/var/run/nginx.pid,/tmp/nginx.pid,' \
-      -e "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" \
-      /etc/nginx/nginx.conf
+# Tell nginx to put its pidfile elsewhere, so it can run as non-root
+RUN sed -i -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
 
 # nginx user must own the cache and etc directory to write cache and tweak the nginx config
 RUN chown -R nginx:0 /var/cache/nginx /etc/nginx