Docker & CSP Fixes for nginx-unprivileged

[benrhughes]

Further testing of changes made as a result of PR feedback has found some issues.

This PR addresses nginx-unprivileged compatibility issues and updates the Content Security Policy to support self-hosted RSS services.

Changes

1. nginx PID File Fix

• Added: pid /tmp/nginx.pid; to nginx.conf
• Reason: nginxinc/nginx-unprivileged runs as non-root user and can't write to /run/nginx.pid

2. Health Check IPv6 Fix

• Changed: Health check URL from http://localhost:8080/ to http://127.0.0.1:8080/
• Reason: localhost resolves to IPv6 ::1 inside container, but nginx listens only on IPv4

3. Removed Redundant Server-Level Headers

• Removed: Server-level add_header block in nginx.conf
• Reason: nginx inheritance rules suppress server-level headers when location blocks define their own. All headers now properly applied at location level.

4. Allow HTTP Connections (connect-src)

• Before: connect-src 'self' https:
• After: connect-src 'self' https: http:
• Reason: Many users run FreshRSS and other RSS services on local networks without HTTPS

5. Allow HTTP Images (img-src)

• Before: img-src 'self' data: https:
• After: img-src 'self' data: https: http:
• Reason: RSS feeds often include images from HTTP sources

6. Re-enable Inline Styles (style-src)

• Before: style-src 'self'
• After: style-src 'self' 'unsafe-inline'
• Reason: RSS article content frequently includes inline <style> tags and style="" attributes for formatting

7. Re-enable Inline Scripts (script-src)

• Before: script-src 'self'
• After: script-src 'self' 'unsafe-inline'
• Reason: Some RSS feeds may include inline scripts (though rare); maintains consistency with styles

Technical Details

The app renders RSS article content using dangerouslySetInnerHTML in ReadingView.tsx. Real-world RSS feeds contain inline styles that are essential for proper article formatting. Without 'unsafe-inline', articles appear unstyled and difficult to read.

Security Consideration

Content undergoes HTML sanitization before rendering, but inline styles can still be abused. This is a necessary trade-off for RSS reader functionality with diverse feed sources.

Validation

• ✅ Container starts and passes health checks
• ✅ nginx runs as non-root user with proper PID handling
• ✅ Security headers properly inherited by all location blocks
• ✅ Local FreshRSS instances (HTTP) work
• ✅ Article images load from HTTP sources
• ✅ Article content renders with proper styling
• ✅ Security headers remain intact for all other resources

This enables the Docker deployment to work with nginxinc/nginx-unprivileged while supporting self-hosted RSS services.

[netlify]

✅ Deploy Preview for stream-rss ready!

Name	Link
🔨 Latest commit	29cf9c0
🔍 Latest deploy log	https://app.netlify.com/projects/stream-rss/deploys/69d50ab1ca884200089b8d90
😎 Deploy Preview	https://deploy-preview-27--stream-rss.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.