Adding caddy

backend/Dockerfile

@@ -1,18 +1,18 @@
-# RedHat UBI 8 with an updated version of Node.js
-FROM registry.access.redhat.com/ubi8/ubi as builder
-
-RUN dnf module enable -y nodejs:16 && dnf install -y nodejs
+# https://catalog.redhat.com/software/containers/ubi8/nodejs-18-minimal/627d1c38e35da88581633bf1
+FROM registry.access.redhat.com/ubi8/nodejs-18-minimal:1-33.1679485315@sha256:74af9dc2b620022c77fcd712b811f64a03c1444ff1e9b9596a242b2edf3cf96f AS builder
 
 # Install packages, build and keep only prod packages
+USER root
 WORKDIR /app
-COPY . ./
-RUN npm ci --only=prod && \
+COPY *.json ./
+COPY ./src /app/src
+RUN npm ci --omit=dev && \
     npm run build
 
 # Deployment container
-FROM registry.access.redhat.com/ubi8/ubi-micro
+FROM registry.access.redhat.com/ubi8/ubi-micro:8.7-6@sha256:af0a83c2fb7db1b63a5655c85f3f37d32b114443b8969fd8a40d47429cd87016
 
-# Set node to production
+# Set node to production 
 ENV NODE_ENV production
 
 # Node packages and dependencies
@@ -31,8 +31,12 @@ WORKDIR /app
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/dist ./dist
 
-# Expose port - mostly a convention, for readability
+# Port and health check
 EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/:3000
+
+# Non-privileged user
+USER app
 
 # Start up command
-ENTRYPOINT ["node", "dist/src/main"]
+ENTRYPOINT ["node", "dist/main"]

frontend/Caddyfile

@@ -0,0 +1,55 @@
+{
+  auto_https off
+  admin off
+}
+:3000 {
+  log {
+    output stdout
+    format console {
+      time_format iso8601
+      level_format color
+    }
+    level {$LOG_LEVEL}
+  }
+  handle /static/js/config.js {
+          header {
+            Content-Type text/javascript
+          }
+          respond `window.REACT_APP_KEYCLOAK_URL="{$KEYCLOAK_URL}";
+                   window.REACT_APP_KEYCLOAK_REALM="standard";
+                   window.REACT_APP_KEYCLOAK_CLIENT_ID="ticdi-4133";
+                   window.REACT_APP_API_URL="{$BACKEND_URL}";`
+  }
+
+  root * /app/dist
+  encode zstd gzip
+  file_server
+  @spa_router {
+    not path /api/* /static/js/config.js
+    file {
+        try_files {path} /index.html
+    }
+  }
+  rewrite @spa_router {http.matchers.file.relative}
+  # Proxy requests to API service
+  reverse_proxy /api/* {$BACKEND_URL} {
+    header_up Host {http.reverse_proxy.upstream.hostport}
+    header_up X-Real-IP {remote_host}
+    header_up X-Forwarded-For {remote_host}
+  }
+  header {
+    X-Frame-Options "SAMEORIGIN"
+    X-XSS-Protection "1;mode=block"
+    Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"
+    X-Content-Type-Options "nosniff"
+    Strict-Transport-Security "max-age=31536000"
+    Content-Security-Policy "default-src 'self' https://*.gov.bc.ca data:; script-src https://*.gov.bc.ca 'self' 'unsafe-eval' https://www2.gov.bc.ca ;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://use.fontawesome.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://fonts.googleapis.com http://www.w3.org https://*.gov.bc.ca https://*.tile.openstreetmap.org"
+    Referrer-Policy "same-origin"
+    Feature-Policy "fullscreen 'self'; camera 'none'; microphone 'none'"
+  }
+}
+:3001 {
+  handle /health {
+    respond "OK"
+  }
+}

frontend/Dockerfile

@@ -1,38 +1,14 @@
-# RedHat UBI 8 with nodejs 16
-FROM registry.access.redhat.com/ubi8/ubi as builder
+FROM node:19-bullseye AS build
 
-RUN dnf module enable -y nodejs:16 && dnf install -y nodejs
-
-# Install packages, build and keep only prod packages
 WORKDIR /app
-COPY . ./
-RUN npm ci --only=prod && \
+COPY . .
+RUN npm ci --omit=dev && \
     npm run build
 
-# Deployment container
-FROM registry.access.redhat.com/ubi8/ubi-micro
-
-# Set node to production 
-ENV NODE_ENV production
-
-# Node packages and dependencies
-COPY --from=builder /usr/bin/node /usr/bin/
-COPY --from=builder /usr/lib64/libz.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libbrotlidec.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libbrotlienc.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libcrypto.so.1.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libssl.so.1.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libstdc++.so.6 /usr/lib64/
-COPY --from=builder /usr/lib64/libgcc_s.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libbrotlicommon.so.1 /usr/lib64/
-
-# Copy over app
-WORKDIR /app
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/build ./dist
-
-# Expose port - mostly a convention, for readability
-EXPOSE 3000
+FROM caddy:2.6.4-alpine AS deploy
+COPY --from=build /app/Caddyfile /etc/caddy/Caddyfile
+COPY --from=build /app/build /app/dist
 
-# Start up command
-ENTRYPOINT ["node", "dist/src/main"]
+EXPOSE 3000 3001
+USER 1001
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/:3001/health || exit 1

frontend/package.json

@@ -35,13 +35,10 @@
     "sass": "^1.71.1"
   },
   "scripts": {
-    "prebuild": "rimraf dist",
     "start": "react-scripts start",
     "build": "react-scripts build",
     "test": "react-scripts test",
-    "eject": "react-scripts eject",
-    "start:prod": "node dist/main"
-  },
+    "eject": "react-scripts eject" },
   "eslintConfig": {
     "extends": [
       "react-app",

frontend/public/index.html

@@ -16,6 +16,7 @@
 
     <meta name="theme-color" content="#036" />
     <title>TICDI</title>
+    <script src="%PUBLIC_URL%/static/js/config.js"></script>
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>