# DAARION Web Frontend - SECURE Dockerfile # Multi-stage build with security hardening # Version: 2.0.0 (Post-Incident Hardening) # Created: 2026-01-09 # ============================================ # Stage 1: Dependencies (isolated build) # ============================================ FROM node:20-alpine AS deps # Security: Remove unnecessary packages RUN apk add --no-cache libc6-compat \ && rm -rf /var/cache/apk/* WORKDIR /app # Copy only package files for caching COPY package.json package-lock.json* ./ # Clean install with audit RUN npm ci --only=production --ignore-scripts \ && npm cache clean --force # ============================================ # Stage 2: Builder (compile application) # ============================================ FROM node:20-alpine AS builder WORKDIR /app # Copy dependencies from previous stage COPY --from=deps /app/node_modules ./node_modules # Copy source code COPY . . # Build-time environment ENV NEXT_TELEMETRY_DISABLED=1 ENV NODE_ENV=production # Build the application RUN npm run build # Remove dev dependencies and clean RUN npm prune --production \ && rm -rf .git .github .next/cache # ============================================ # Stage 3: Runner (minimal production image) # ============================================ FROM node:20-alpine AS runner LABEL maintainer="DAARION Security Team" LABEL version="2.0.0-secure" LABEL description="Hardened DAARION Web Frontend" WORKDIR /app # Environment ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 ENV PORT=3000 ENV HOSTNAME="0.0.0.0" # Create non-root user with specific UID/GID RUN addgroup --system --gid 1001 nodejs \ && adduser --system --uid 1001 --ingroup nodejs nextjs # Security: Remove unnecessary tools RUN apk del --purge wget curl \ && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* \ && rm -f /bin/sh /bin/ash 2>/dev/null || true # Copy only necessary production files COPY --from=builder /app/public ./public COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static # Security: Set restrictive permissions RUN chmod -R 500 /app \ && chmod -R 400 /app/public \ && chmod 500 /app/server.js # Switch to non-root user USER nextjs # Expose port (internal only) EXPOSE 3000 # Health check HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))" || exit 1 # Run application CMD ["node", "server.js"]