I wrote about this exact topic earlier:
Dockerfile, in this post I'm going to cover secure general Dockerization for Nestjs. Let's create a Dockerfile
# Stage 1: Build the app FROM node:22-alpine AS builder WORKDIR /usr/src/app COPY package*.json ./ COPY entrypoint.sh ./ COPY .env ./ RUN yarn install --omit=dev COPY . . RUN yarn build # Stage 2: Setup prod FROM node:22-alpine WORKDIR /usr/src/app COPY --from=builder /usr/src/app/dist ./dist COPY --from=builder /usr/src/app/entrypoint.sh ./ COPY --from=builder /usr/src/app/package*.json ./ COPY --from=builder /usr/src/app/.env ./ ENV NODE_ENV production RUN chmod +x ./entrypoint.sh USER node ENTRYPOINT ["./entrypoint.sh"] CMD ["node", "dist/main.js"] As you can see, Dockerfile consists of two stages: Build & Prod. We need this to minimize build size by only copying essential files or directories (dist) to the final stage. I'm not going deep into Dockerfile in this post, but I'll explain some of the lines:
RUN yarn install --omit=dev: Install only production dependencies possible. Read hereentrypoint.shit's abashfile containing commands run before our Nestjs application. For example, you may have to run db migrations before Nestjs starts check my previous post.
⚠️ REMEMBER: If you use dev commands in
entrypoint.shfile, make sure to install dev dependencies by removing--omit=devflag fromyarn install. Also you need to copynode_modulesto final stage.
ENV NODE_ENV production: Always run your Nestjs app onproductionenvironment. When you build your Node.js Docker image for production, you want to ensure that all frameworks and libraries are using the optimal settings for performance and security. Read hereUSER node: Usenodeusernode:22-alpineimage provides. Because you really don't want to run your app asrootuser. Read hereCMD ["node", "dist/main.js"]: It's good way to run your node/nestjs application with directlynodecommand instead ofnpm run start:prod(don't do that like I did in my prev post :D). Read here
Bonus
Docker services (Postgres & Redis) setup
Create docker-compose.yaml file:
services: app: container_name: 'nestjs-app' restart: always build: context: . dockerfile: Dockerfile environment: REDIS_HOST: redis DB_HOST: postgres PORT: ${PORT} ports: - ${PORT}:${PORT} networks: - nestjs-net depends_on: redis: condition: service_healthy restart: true postgres: condition: service_healthy restart: true redis: container_name: 'nestjs-redis' image: bitnami/redis:7.4 restart: always ports: - ${REDIS_PORT}:${REDIS_PORT} environment: REDIS_PASSWORD: ${REDIS_PASSWORD} REDIS_PORT_NUMBER: ${REDIS_PORT} REDIS_DB: ${REDIS_DB} REDIS_IO_THREADS: 4 REDIS_IO_THREADS_DO_READS: yes REDIS_DISABLE_COMMANDS: FLUSHDB,FLUSHALL healthcheck: test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping'] interval: 5s timeout: 5s retries: 5 volumes: - nestjs-redis-data:/bitnami/redis/data networks: - nestjs-net postgres: container_name: 'nestjs-postgres' image: bitnami/postgresql:17 restart: always environment: POSTGRESQL_PORT_NUMBER: ${DB_PORT} POSTGRESQL_USERNAME: ${DB_USER} POSTGRESQL_PASSWORD: ${DB_PASSWORD} POSTGRESQL_DATABASE: ${DB_NAME} POSTGRESQL_TIMEZONE: 'Asia/Tashkent' // Set your timezone healthcheck: test: ['CMD-SHELL', 'pg_isready -U postgres'] interval: 5s timeout: 5s retries: 5 ports: - ${DB_PORT}:${DB_PORT} volumes: - nestjs-postgres-data:/bitnami/postgresql networks: - nestjs-net volumes: nestjs-redis-data: driver: local nestjs-postgres-data: driver: local networks: nestjs-net: driver: bridge Example .env file:
PORT=9000 # Redis REDIS_PASSWORD= REDIS_HOST=localhost REDIS_PORT=6379 REDIS_DB=0 # Postgres DB_USER= DB_PASSWORD= DB_NAME= DB_PORT=5432 DB_HOST=localhost That's it! Thanks for reading. I don't say it's 100% secure Docker image because you can always implement something better. If you find any mistake please leave a comment. For more visit: OWASP Node.js Docker Cheat Sheet
Top comments (0)