# Production-hardened Dockerfile for auth-proxy # # We use a multi-stage build to keep the final image small. # The build stage compiles the binary, and the runtime stage copies # only the binary and the required configuration. FROM docker.iranserver.com/golang:1.26-alpine AS builder WORKDIR /app RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \ && /usr/local/go/bin/go env -w GOSUMDB=off COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o auth-proxy . # Runtime stage FROM docker.iranserver.com/alpine:3.23 WORKDIR /app # Create a non-root user (security best practice). RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy # Copy the binary from the builder stage. COPY --from=builder /app/auth-proxy . # Create directories for config and data. RUN mkdir -p /config /data # Set ownership so the non-root user can write to /data but not /config. RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config # Switch to the non-root user. USER auth-proxy # Expose the HTTP port. EXPOSE 8080 # Start the service. ENTRYPOINT ["/app/auth-proxy"] CMD []