chore: update dependencies

- make Lua version an ARG
- update httpd to 2.4.58
- update nginx to 1.25.3

README-containers.md

@@ -17,17 +17,17 @@ The Core Rule Set (CRS) is a set of generic attack detection rules for use with
 
 ## Supported tags and respective `Dockerfile` links
 
-* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5*
 
 🆕 We added healthchecks to the images. Containers already return HTTP status code 200 when accessing the `/healthz` URI. When a container has a healthcheck specified, it has a _health status_ in addition to its normal status. This status is initially `starting`. Whenever a health check passes, it becomes `healthy` (whatever state it was previously in). After a certain number of consecutive failures, it becomes `unhealthy`. See <https://docs.docker.com/engine/reference/builder/#healthcheck> for more information.
 
 ## Supported variants
 
 We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples:
 
-* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
 
 ## Production usage
 

README.md

@@ -14,8 +14,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 
 ## Supported tags and respective `Dockerfile` links
 
-* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5*
 
 ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx` or `owasp/modsecurity-crs:apache`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-202209141209` for example. You have been warned.
 
@@ -25,8 +25,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 
 We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples:
 
-* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
 
 ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx-alpine` or `owasp/modsecurity-crs:apache-alpine`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-alpine-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-alpine-202209141209` for example. You have been warned.
 

apache/Dockerfile

@@ -1,8 +1,9 @@
-ARG APACHE_VERSION=2.4.57
+ARG APACHE_VERSION=2.4.58
 
 FROM httpd:${APACHE_VERSION} as build
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 RUN set -eux; \
     echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
@@ -20,7 +21,7 @@ RUN set -eux; \
         libtool \
         libxml2-dev \
         libyajl-dev \
-        lua5.3-dev \
+        lua${LUA_VERSION}-dev \
         make \
         pkgconf \
         wget
@@ -57,7 +58,8 @@ RUN set -eux; \
 
 FROM httpd:${APACHE_VERSION}
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -161,7 +163,7 @@ RUN set -eux; \
         iproute2 \
         libcurl3-gnutls \
         libfuzzy2 \
-        liblua5.3 \
+        liblua${LUA_VERSION} \
         libxml2 \
         libyajl2; \
     update-ca-certificates -f; \

apache/Dockerfile-alpine

@@ -1,8 +1,9 @@
-ARG APACHE_VERSION=2.4.57
+ARG APACHE_VERSION=2.4.58
 
 FROM httpd:${APACHE_VERSION}-alpine as build
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 # see https://httpd.apache.org/docs/2.4/install.html#requirements
 RUN set -eux; \
@@ -27,7 +28,7 @@ RUN set -eux; \
     libtool \
     lmdb-dev \
     libxml2-dev \
-    lua5.3-dev \
+    lua${LUA_VERSION}-dev \
     yajl-dev \
     make \
     openssl \
@@ -67,7 +68,8 @@ RUN set -eux; \
 
 FROM httpd:${APACHE_VERSION}-alpine
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -169,7 +171,7 @@ RUN set -eux; \
         iproute2 \
         libfuzzy2 \
         libxml2 \
-        lua5.3 \
+        lua${LUA_VERSION} \
         moreutils \
         openssl \
         sed \

nginx/Dockerfile

@@ -1,9 +1,10 @@
-ARG NGINX_VERSION="1.24.0"
+ARG NGINX_VERSION="1.25.3"
 
 FROM nginx:${NGINX_VERSION} as build
 
 ARG MODSEC_VERSION=3.0.11 \
-    LMDB_VERSION=0.9.29
+    LMDB_VERSION=0.9.29 \
+    LUA_VERSION=5.3
 
 # Note: libpcre3-dev (PCRE 1) is required by the build description,
 # even though the build will use PCRE2.
@@ -19,7 +20,7 @@ RUN set -eux; \
         libcurl4-gnutls-dev \
         libfuzzy-dev \
         libgeoip-dev \
-        liblua5.3-dev \
+        liblua${LUA_VERSION}-dev \
         libpcre3-dev \
         libpcre2-dev \
         libtool \
@@ -96,7 +97,8 @@ RUN set -eux; \
 FROM nginx:${NGINX_VERSION}
 
 ARG MODSEC_VERSION=3.0.11 \
-    LMDB_VERSION=0.9.29
+    LMDB_VERSION=0.9.29 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -190,7 +192,7 @@ RUN set -eux; \
         curl \
         libcurl4-gnutls-dev \
         libfuzzy2 \
-        liblua5.3 \
+        liblua${LUA_VERSION} \
         libxml2 \
         libyajl2 \
         moreutils; \

nginx/Dockerfile-alpine

@@ -1,8 +1,9 @@
-ARG NGINX_VERSION="1.24.0"
+ARG NGINX_VERSION="1.25.3"
 
 FROM nginx:${NGINX_VERSION}-alpine as build
 
-ARG MODSEC_VERSION=3.0.11
+ARG MODSEC_VERSION=3.0.11 \
+    LUA_VERSION=5.3
 
 # Note: pcre-dev (PCRE 1) is required by the build description,
 # even though the build will use PCRE2.
@@ -25,7 +26,7 @@ RUN set -eux; \
         libxml2-dev \
         linux-headers \
         lmdb-dev \
-        lua5.3-dev \
+        lua${LUA_VERSION}-dev \
         make \
         openssl \
         openssl-dev \
@@ -91,7 +92,8 @@ RUN set -eux; \
 
 FROM nginx:${NGINX_VERSION}-alpine
 
-ARG MODSEC_VERSION=3.0.11
+ARG MODSEC_VERSION=3.0.11 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -186,7 +188,7 @@ RUN set -eux; \
         libstdc++ \
         libxml2-dev \
         lmdb-dev \
-        lua5.3 \
+        lua${LUA_VERSION} \
         moreutils \
         openssl \
         tzdata \