diff --git a/README.md b/README.md index 28b8b4b..faf9e3f 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,12 @@ Examples: ## OS Variants -* nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* +* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* +* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0* * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) @@ -244,7 +244,7 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_AUDIT_LOG_RELEVANT_STATUS | A regular expression string that defines the http error codes that are relevant for audit logging (Default: `"^(?:5|4(?!04))"`). See [SecAuditLogRelevantStatus](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogrelevantstatus) | | MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_COOKIE_FORMAT | The cookie format used (Default: `0` use Netscape cookies) :warning: Do not touch unless you really know what you are doing. See [SecCookieFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat). | -| MODSEC_AUDIT_STORAGE | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | +| MODSEC_AUDIT_STORAGE_DIR | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | | MODSEC_DATA_DIR | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) | | MODSEC_DEBUG_LOG | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) | | MODSEC_DEBUG_LOGLEVEL | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). | @@ -271,7 +271,7 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_UNICODE_MAPPING | The unicode Code Point to use form the default file(Default: `20127`). See [SecUnicodeMapFile](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secunicodemapfile) | | MODSEC_UPLOAD_DIR | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) | | MODSEC_UPLOAD_FILE_MODE | (Default: `0600`) | -| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly`) Accepted values: `On`, `Off`, `RelevantOnly`. See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) +| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly` on Apache, `Off` on nginx) Accepted values: `On`, `Off`, `RelevantOnly` (only modsec2). See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) and [libmodsecurity3](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#secuploadkeepfiles) ### CRS specific diff --git a/apache/Dockerfile b/apache/Dockerfile index ef0d39f..91a6f4a 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -87,7 +87,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine index 469c039..ce031a5 100644 --- a/apache/Dockerfile-alpine +++ b/apache/Dockerfile-alpine @@ -97,7 +97,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/docker-bake.hcl b/docker-bake.hcl index 7d04c20..7bd0a9a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -11,12 +11,12 @@ variable "modsec2-version" { variable "crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases - default = "4.1.0" + default = "4.2.0" } variable "nginx-version" { # renovate: depName=nginxinc/nginx-unprivileged datasource=docker - default = "1.25.3" + default = "1.26.0" } variable "httpd-version" { @@ -179,7 +179,7 @@ target "openresty-alpine-fat" { dockerfile="openresty/Dockerfile-alpine" args = { OPENRESTY_VERSION = "${openresty-version}" - NGINX_VERSION = "${nginx-version}" + NGINX_VERSION = patch(openresty-version) LUA_MODULES = join(" ", lua-modules-luarocks) } tags = concat(tag("openresty-alpine-fat"), diff --git a/nginx/Dockerfile b/nginx/Dockerfile index cc80131..8d6e9e5 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -131,12 +131,13 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -156,7 +157,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ PORT=8080 \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 83749f0..b6549a8 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -125,12 +125,13 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -150,7 +151,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ PORT=8080 \ diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index e7e969b..d56925e 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -63,7 +63,7 @@ RUN set -eux; \ RUN set -eux; \ git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \ - cd ./openresty-"${OPENRESTY_VERSION}"/bundle/nginx-${NGINX_VERSION}; \ + cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \ export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \ export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \ COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \ @@ -135,12 +135,13 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -160,7 +161,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \ PORT=80 \ diff --git a/renovate.json b/renovate.json index 7d28d1b..4cf0518 100644 --- a/renovate.json +++ b/renovate.json @@ -94,6 +94,18 @@ ], "depNameTemplate": "coreruleset/coreruleset", "datasourceTemplate": "github-releases" + }, + { + "description": "Docs: OpenResty", + "customType": "regex", + "fileMatch": [ + "^README\\.md$" + ], + "matchStrings": [ + "OpenResty (?\\d+\\.\\d+\\.\\d+(\\.\\d+)?)" + ], + "depNameTemplate": "openresty/openresty", + "datasourceTemplate": "docker" } ] }