From 1f307abb700da3ca7ccdeab039eff3cab1383a51 Mon Sep 17 00:00:00 2001
From: Felipe Zipitria <felipe.zipitria@owasp.org>
Date: Sun, 29 Dec 2024 16:46:05 -0300
Subject: [PATCH] feat: add nginx modules as parameter

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
---
 docker-bake.hcl         |  8 ++++++++
 nginx/Dockerfile        | 18 +++++++++++-------
 nginx/Dockerfile-alpine | 17 ++++++++++-------
 3 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/docker-bake.hcl b/docker-bake.hcl
index 9553a67..a5d636e 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -55,6 +55,14 @@ variable "REPOS" {
     ]
 }
 
+variable "nginx-dynamic-modules" {
+    # List of dynamic modules to include in the nginx build
+    default = [
+        "owasp-modsecurity/ModSecurity-nginx",
+        "openresty/headers-more-nginx-module"
+    ]
+}
+
 function "major" {
     params = [version]
     result = split(".", version)[0]
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index bed950a..ced432a 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -5,6 +5,7 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build
 ARG MODSEC3_VERSION="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
+ARG NGINX_DYNAMIC_MODULES="n/a"
 
 USER root
 
@@ -56,15 +57,19 @@ RUN set -eux; \
 
 # Build modules
 RUN set -eux; \
-    git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
-    git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \
+    for module in ${NGINX_DYNAMIC_MODULES}; \
+    do; \
+        repo=$(awk -F'/' '{print $2}' <<< $module); \
+        git clone -b master --depth 1 https://github.com/${module}.git; \
+        modules=+("--add-dynamic-module=../${repo}"); \
+    done; \
     curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
     cd ./nginx-${NGINX_VERSION}; \
-    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \
+    ./configure --with-compat ${modules[@]} ;\
     make modules; \
-    strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \
-    cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \
+    strip objs/*.so; \
+    cp objs/*.so /etc/nginx/modules/; \
     mkdir /etc/modsecurity.d; \
     curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \
          -o /etc/modsecurity.d/unicode.mapping
@@ -198,8 +203,7 @@ ENV \
     BLOCKING_PARANOIA=1
 
 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/
-COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so
-COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so
+COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/
 COPY --from=build /usr/local/lib/liblmdb.so /usr/local/lib/
 COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/
 COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping
diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
index 08a82af..2a2fc34 100644
--- a/nginx/Dockerfile-alpine
+++ b/nginx/Dockerfile-alpine
@@ -53,15 +53,19 @@ RUN set -eux; \
 
    # Build modules
 RUN set -eux; \
-    git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
-    git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \
+    for module in ${NGINX_DYNAMIC_MODULES}; \
+    do; \
+        repo=$(awk -F'/' '{print $2}' <<< $module); \
+        git clone -b master --depth 1 https://github.com/${module}.git; \
+        modules=+("--add-dynamic-module=../${repo}"); \
+    done; \
     curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
     cd ./nginx-${NGINX_VERSION}; \
-    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \
+    ./configure --with-compat ${modules[@]} ;\
     make modules; \
-    strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \
-    cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \
+    strip objs/*.so; \
+    cp objs/*.so /etc/nginx/modules/; \
     mkdir /etc/modsecurity.d; \
     curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \
         -o /etc/modsecurity.d/unicode.mapping
@@ -194,8 +198,7 @@ ENV \
     BLOCKING_PARANOIA=1
 
 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/
-COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so
-COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so
+COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/
 COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/
 COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping
 COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs