Skip to content

Commit

Permalink
Merge pull request #314 from theseion/improve-rule-configuration
Browse files Browse the repository at this point in the history
feat: improve rule configuration
  • Loading branch information
theseion authored Dec 25, 2024
2 parents fab451b + 9f08de4 commit 1c688ca
Show file tree
Hide file tree
Showing 13 changed files with 252 additions and 176 deletions.
24 changes: 24 additions & 0 deletions .github/workflows/configure-rules-for-test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

# The purpose of this script is to test that `configure-rules.sh` will run
# successfully for all variables that we configure.

set -e

conf_file="${1}"
env_file="${2}"

if [ -f "${env_file}" ]; then
rm "${env_file}"
fi

while read -r line; do
if [ -z "${line}" ] || echo "${line}" | grep -Eq "^#"; then
continue
fi

var_name="$(cut -d'|' -f2 <<< "${line}")"
test_value="$(cut -d'|' -f5 <<< "${line}")"
echo "Setting ${var_name}=${test_value}"
echo "${var_name}=${test_value}" >> "${env_file}"
done < "${conf_file}"
10 changes: 9 additions & 1 deletion .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,16 @@ jobs:

- name: Run ${{ matrix.target }}
run: |
. .github/workflows/configure-rules-for-test.sh \
src/opt/modsecurity/configure-rules.conf \
"$(pwd)/${{ matrix.target }}.env"
echo "Starting container ${{ matrix.target }}"
docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
docker run \
--pull "never" \
-d \
--name ${{ matrix.target }}-test \
--env-file "${{ matrix.target }}.env" \
"${REPO}:${{ matrix.target }}"
sleep 30
docker logs ${{ matrix.target }}-test
Expand Down
3 changes: 2 additions & 1 deletion apache/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/docker-entrypoint.sh /

RUN set -eux; \
Expand All @@ -167,6 +167,7 @@ RUN set -eux; \
apt-get install -qq -y --no-install-recommends --no-install-suggests \
ca-certificates \
curl \
ed \
gnupg \
iproute2 \
libcurl3-gnutls \
Expand Down
3 changes: 2 additions & 1 deletion apache/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapp
COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY apache/docker-entrypoint.sh /

Expand All @@ -176,6 +176,7 @@ RUN set -eux; \
apk add --no-cache \
ca-certificates \
curl \
ed \
gnupg \
iproute2 \
libfuzzy2 \
Expand Down
4 changes: 2 additions & 2 deletions apache/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
/usr/local/bin/generate-certificate /usr/local/apache2
/usr/local/bin/check-low-port

. /opt/modsecurity/activate-plugins.sh
. /opt/modsecurity/activate-rules.sh
/opt/modsecurity/activate-plugins.sh
/opt/modsecurity/configure-rules.sh

exec "$@"
8 changes: 0 additions & 8 deletions docker-bake.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,6 @@ variable "lua-modules-debian" {
]
}

variable "lua-modules-luarocks" {
default = [
"lua-resty-openidc",
"lua-zlib",
"luasocket"
]
}

variable "REPOS" {
# List of repositories to tag
default = [
Expand Down
5 changes: 3 additions & 2 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,6 @@ ENV \
SSL_VERIFY=off \
WORKER_CONNECTIONS=1024 \
# CRS specific variables
PARANOIA=1 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
BLOCKING_PARANOIA=1
Expand All @@ -208,7 +207,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -221,6 +221,7 @@ RUN set -eux; \
LD_LIBRARY_PATH="" apt-get install -y -qq --no-install-recommends --no-install-suggests \
ca-certificates \
curl \
ed \
libcurl4-gnutls-dev \
libfuzzy2 \
liblua${LUA_VERSION} \
Expand Down
4 changes: 3 additions & 1 deletion nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -211,6 +212,7 @@ RUN set -eux; \
apk add --no-cache \
curl \
curl-dev \
ed \
libfuzzy2 \
libmaxminddb-dev \
libstdc++ \
Expand Down
12 changes: 0 additions & 12 deletions renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -96,18 +96,6 @@
],
"depNameTemplate": "coreruleset/coreruleset",
"datasourceTemplate": "github-releases"
},
{
"description": "Docs: OpenResty",
"customType": "regex",
"fileMatch": [
"^README\\.md$"
],
"matchStrings": [
"OpenResty (?<currentValue>\\d+\\.\\d+\\.\\d+(\\.\\d+)?)"
],
"depNameTemplate": "openresty/openresty",
"datasourceTemplate": "docker"
}
]
}
3 changes: 3 additions & 0 deletions src/opt/modsecurity/activate-plugins.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#!/bin/sh -e

printf "# # #\nRunning CRS plugin activation\n- - -\n\n"

# Check if crs-setup.conf is overriden
if [ -n "${MANUAL_MODE}" ]; then
echo "Using manual config mode"
Expand All @@ -25,3 +27,4 @@ for suffix in "config" "before" "after"; do
fi
done

printf -- "- - -\nFinished CRS plugin activation\n# # #\n\n"
148 changes: 0 additions & 148 deletions src/opt/modsecurity/activate-rules.sh

This file was deleted.

29 changes: 29 additions & 0 deletions src/opt/modsecurity/configure-rules.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>|<test value>
# The octothorpe (#) designates a comment, comments are ignored
# See `.github/workflows/configure-rules-for-test.sh` for how the test value is used.

# Superceded by BLOCKING_PARANOIA
true|PARANOIA|900000|blocking_paranoia_level|4
true|PARANOIA|900001|detection_paranoia_level|4
false|BLOCKING_PARANOIA|900000|blocking_paranoia_level|4
# Superceded by DETECTION_PARANOIA
true|EXECUTING_PARANOIA|900001|executing_paranoia_level|4
false|DETECTION_PARANOIA|900001|detection_paranoia_level|4
false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded|0
false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold|6
false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold|6
false|ALLOWED_METHODS|900200|allowed_methods|GET OPTIONS
false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type|application/json
false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset|utf-8
false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions|1.1
false|RESTRICTED_EXTENSIONS|900240|restricted_extensions|.exe/
false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
false|MAX_NUM_ARGS|900300|max_num_args|100
false|ARG_NAME_LENGTH|900310|arg_name_length|200
false|ARG_LENGTH|900230|arg_length|300
false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
false|MAX_FILE_SIZE|900340|max_file_size|500
false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600
false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding|0
false|REPORTING_LEVEL|900115|reporting_level|5
Loading

0 comments on commit 1c688ca

Please sign in to comment.