Merge pull request #247 from coreruleset/develop

release: fix broken variables in nginx

README.md

@@ -44,12 +44,12 @@ Examples:
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
-* Openresty - *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0*
+* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0*
    * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine)
-* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0*
+* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0*
    * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)
    * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)
 
@@ -244,7 +244,7 @@ All these variables impact in configuration directives in the modsecurity engine
 | MODSEC_AUDIT_LOG_RELEVANT_STATUS | A regular expression string that defines the http error codes that are relevant for audit logging (Default: `"^(?:5|4(?!04))"`). See [SecAuditLogRelevantStatus](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogrelevantstatus) |
 | MODSEC_AUDIT_LOG_TYPE  | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. |
 | MODSEC_COOKIE_FORMAT | The cookie format used (Default: `0` use Netscape cookies) :warning: Do not touch unless you really know what you are doing. See [SecCookieFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat). |
-| MODSEC_AUDIT_STORAGE  | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) |
+| MODSEC_AUDIT_STORAGE_DIR  | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) |
 | MODSEC_DATA_DIR  | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) |
 | MODSEC_DEBUG_LOG  | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) |
 | MODSEC_DEBUG_LOGLEVEL  | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). |
@@ -271,7 +271,7 @@ All these variables impact in configuration directives in the modsecurity engine
 | MODSEC_UNICODE_MAPPING | The unicode Code Point to use form the default file(Default: `20127`). See [SecUnicodeMapFile](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secunicodemapfile) |
 | MODSEC_UPLOAD_DIR  | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) |
 | MODSEC_UPLOAD_FILE_MODE | (Default: `0600`) |
-| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed.  (Default: `RelevantOnly`) Accepted values: `On`, `Off`, `RelevantOnly`. See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles)
+| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed.  (Default: `RelevantOnly` on Apache, `Off` on nginx) Accepted values: `On`, `Off`, `RelevantOnly` (only modsec2). See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) and [libmodsecurity3](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#secuploadkeepfiles)
 
 ### CRS specific
 

apache/Dockerfile

@@ -87,7 +87,7 @@ ENV \
     MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
     MODSEC_COOKIE_FORMAT=0 \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \

apache/Dockerfile-alpine

@@ -97,7 +97,7 @@ ENV \
     MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
     MODSEC_COOKIE_FORMAT=0 \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \

docker-bake.hcl

@@ -11,12 +11,12 @@ variable "modsec2-version" {
 
 variable "crs-version" {
     # renovate: depName=coreruleset/coreruleset datasource=github-releases
-    default = "4.1.0"
+    default = "4.2.0"
 }
 
 variable "nginx-version" {
     # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
-    default = "1.25.3"
+    default = "1.26.0"
 }
 
 variable "httpd-version" {
@@ -179,7 +179,7 @@ target "openresty-alpine-fat" {
     dockerfile="openresty/Dockerfile-alpine"
     args = {
         OPENRESTY_VERSION = "${openresty-version}"
-        NGINX_VERSION = "${nginx-version}"
+        NGINX_VERSION = patch(openresty-version)
         LUA_MODULES = join(" ", lua-modules-luarocks)
     }
     tags = concat(tag("openresty-alpine-fat"),

nginx/Dockerfile

@@ -131,12 +131,13 @@ ENV \
     MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
     MODSEC_COOKIE_FORMAT=0 \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \
     MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
     MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
+    MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
     MODSEC_PCRE_MATCH_LIMIT=100000 \
     MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
     MODSEC_REQ_BODY_ACCESS=on \
@@ -156,7 +157,7 @@ ENV \
     MODSEC_UNICODE_MAPPING=20127 \
     MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
     MODSEC_UPLOAD_FILE_MODE=0600 \
-    MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
+    MODSEC_UPLOAD_KEEP_FILES=Off \
     NGINX_ALWAYS_TLS_REDIRECT=off \
     NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \
     PORT=8080 \

nginx/Dockerfile-alpine

@@ -125,12 +125,13 @@ ENV \
     MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
     MODSEC_COOKIE_FORMAT=0 \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \
     MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
     MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
+    MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
     MODSEC_PCRE_MATCH_LIMIT=100000 \
     MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
     MODSEC_REQ_BODY_ACCESS=on \
@@ -150,7 +151,7 @@ ENV \
     MODSEC_UNICODE_MAPPING=20127 \
     MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
     MODSEC_UPLOAD_FILE_MODE=0600 \
-    MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
+    MODSEC_UPLOAD_KEEP_FILES=Off \
     NGINX_ALWAYS_TLS_REDIRECT=off \
     NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \
     PORT=8080 \

openresty/Dockerfile-alpine

@@ -63,7 +63,7 @@ RUN set -eux; \
 RUN set -eux; \
     git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
     curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \
-    cd ./openresty-"${OPENRESTY_VERSION}"/bundle/nginx-${NGINX_VERSION}; \
+    cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \
     export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \
     export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \
     COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \
@@ -135,12 +135,13 @@ ENV \
     MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
     MODSEC_COOKIE_FORMAT=0 \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \
     MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
     MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
+    MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
     MODSEC_PCRE_MATCH_LIMIT=100000 \
     MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
     MODSEC_REQ_BODY_ACCESS=on \
@@ -160,7 +161,7 @@ ENV \
     MODSEC_UNICODE_MAPPING=20127 \
     MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
     MODSEC_UPLOAD_FILE_MODE=0600 \
-    MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
+    MODSEC_UPLOAD_KEEP_FILES=Off \
     NGINX_ALWAYS_TLS_REDIRECT=off \
     NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \
     PORT=80 \

renovate.json

@@ -94,6 +94,18 @@
       ],
       "depNameTemplate": "coreruleset/coreruleset",
       "datasourceTemplate": "github-releases"
+    },
+    {
+      "description": "Docs: OpenResty",
+      "customType": "regex",
+      "fileMatch": [
+        "^README\\.md$"
+      ],
+      "matchStrings": [
+        "OpenResty (?<currentValue>\\d+\\.\\d+\\.\\d+(\\.\\d+)?)"
+      ],
+      "depNameTemplate": "openresty/openresty",
+      "datasourceTemplate": "docker"
     }
   ]
 }