From d48399b6b5010fbfe008f1e45b604bb852f38d38 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 5 May 2024 22:09:09 -0300 Subject: [PATCH 1/6] fix: typo in variable name Signed-off-by: Felipe Zipitria --- README.md | 2 +- apache/Dockerfile | 2 +- apache/Dockerfile-alpine | 2 +- nginx/Dockerfile | 2 +- nginx/Dockerfile-alpine | 2 +- openresty/Dockerfile-alpine | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 28b8b4b..706fd54 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_AUDIT_LOG_RELEVANT_STATUS | A regular expression string that defines the http error codes that are relevant for audit logging (Default: `"^(?:5|4(?!04))"`). See [SecAuditLogRelevantStatus](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogrelevantstatus) | | MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_COOKIE_FORMAT | The cookie format used (Default: `0` use Netscape cookies) :warning: Do not touch unless you really know what you are doing. See [SecCookieFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat). | -| MODSEC_AUDIT_STORAGE | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | +| MODSEC_AUDIT_STORAGE_DIR | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | | MODSEC_DATA_DIR | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) | | MODSEC_DEBUG_LOG | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) | | MODSEC_DEBUG_LOGLEVEL | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). | diff --git a/apache/Dockerfile b/apache/Dockerfile index ef0d39f..91a6f4a 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -87,7 +87,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine index 469c039..ce031a5 100644 --- a/apache/Dockerfile-alpine +++ b/apache/Dockerfile-alpine @@ -97,7 +97,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/nginx/Dockerfile b/nginx/Dockerfile index cc80131..b499ea0 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -131,7 +131,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 83749f0..8f4cb86 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -125,7 +125,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index e7e969b..ede0e2d 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -135,7 +135,7 @@ ENV \ MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ + MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ From b5d242ba9dff0ead6cd798ff29c546ba7cbad248 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 5 May 2024 22:14:10 -0300 Subject: [PATCH 2/6] fix: nginx based images for default values Signed-off-by: Felipe Zipitria --- README.md | 2 +- nginx/Dockerfile | 3 ++- nginx/Dockerfile-alpine | 3 ++- openresty/Dockerfile-alpine | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 706fd54..2735523 100644 --- a/README.md +++ b/README.md @@ -271,7 +271,7 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_UNICODE_MAPPING | The unicode Code Point to use form the default file(Default: `20127`). See [SecUnicodeMapFile](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secunicodemapfile) | | MODSEC_UPLOAD_DIR | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) | | MODSEC_UPLOAD_FILE_MODE | (Default: `0600`) | -| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly`) Accepted values: `On`, `Off`, `RelevantOnly`. See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) +| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly` on Apache, `Off` on nginx) Accepted values: `On`, `Off`, `RelevantOnly` (only modsec2). See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) and [libmodsecurity3](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#secuploadkeepfiles) ### CRS specific diff --git a/nginx/Dockerfile b/nginx/Dockerfile index b499ea0..8d6e9e5 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -137,6 +137,7 @@ ENV \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -156,7 +157,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ PORT=8080 \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 8f4cb86..b6549a8 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -131,6 +131,7 @@ ENV \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -150,7 +151,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ PORT=8080 \ diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index ede0e2d..c6f7cc9 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -141,6 +141,7 @@ ENV \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ @@ -160,7 +161,7 @@ ENV \ MODSEC_UNICODE_MAPPING=20127 \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \ + MODSEC_UPLOAD_KEEP_FILES=Off \ NGINX_ALWAYS_TLS_REDIRECT=off \ NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \ PORT=80 \ From 39d0fc0da873cc321fa982a49482af42868924cf Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 5 May 2024 22:32:43 -0300 Subject: [PATCH 3/6] fix: renovate update openresty Signed-off-by: Felipe Zipitria --- README.md | 2 +- docker-bake.hcl | 1 - openresty/Dockerfile-alpine | 3 ++- renovate.json | 12 ++++++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 28b8b4b..4fcde54 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ Examples: * nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* +* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) * Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) diff --git a/docker-bake.hcl b/docker-bake.hcl index 7d04c20..7b4a66b 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -179,7 +179,6 @@ target "openresty-alpine-fat" { dockerfile="openresty/Dockerfile-alpine" args = { OPENRESTY_VERSION = "${openresty-version}" - NGINX_VERSION = "${nginx-version}" LUA_MODULES = join(" ", lua-modules-luarocks) } tags = concat(tag("openresty-alpine-fat"), diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index e7e969b..bb225de 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -63,7 +63,8 @@ RUN set -eux; \ RUN set -eux; \ git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \ - cd ./openresty-"${OPENRESTY_VERSION}"/bundle/nginx-${NGINX_VERSION}; \ + NGINX_VERSION=$(echo $OPENRESTY_VERSION | cut -f1-3 -d.) + cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \ export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \ export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \ COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \ diff --git a/renovate.json b/renovate.json index 7d28d1b..4cf0518 100644 --- a/renovate.json +++ b/renovate.json @@ -94,6 +94,18 @@ ], "depNameTemplate": "coreruleset/coreruleset", "datasourceTemplate": "github-releases" + }, + { + "description": "Docs: OpenResty", + "customType": "regex", + "fileMatch": [ + "^README\\.md$" + ], + "matchStrings": [ + "OpenResty (?\\d+\\.\\d+\\.\\d+(\\.\\d+)?)" + ], + "depNameTemplate": "openresty/openresty", + "datasourceTemplate": "docker" } ] } From c8e21a8059f89b6ca9bcc89b494234ed671e6dd5 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Mon, 6 May 2024 08:56:47 -0300 Subject: [PATCH 4/6] fix: use patch function for openresty version Signed-off-by: Felipe Zipitria --- docker-bake.hcl | 1 + openresty/Dockerfile-alpine | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 7b4a66b..efb3d1f 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -179,6 +179,7 @@ target "openresty-alpine-fat" { dockerfile="openresty/Dockerfile-alpine" args = { OPENRESTY_VERSION = "${openresty-version}" + NGINX_VERSION = patch(openresty-version) LUA_MODULES = join(" ", lua-modules-luarocks) } tags = concat(tag("openresty-alpine-fat"), diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index bb225de..a41b375 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -63,7 +63,6 @@ RUN set -eux; \ RUN set -eux; \ git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \ - NGINX_VERSION=$(echo $OPENRESTY_VERSION | cut -f1-3 -d.) cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \ export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \ export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \ From 72bd30918f0941d329e1b270bf74bb8f5ee10a69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Mon, 6 May 2024 08:57:57 -0300 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Max Leske --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4fcde54..b5a2a2a 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ Examples: * nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* +* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.1.0* * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) * Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) From d219fa9118b412d14f936775ca60548b3cbea8cf Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 18:39:58 +0000 Subject: [PATCH 6/6] chore(deps): update all non-major dependencies in readme.md --- README.md | 6 +++--- docker-bake.hcl | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 50ee839..faf9e3f 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,12 @@ Examples: ## OS Variants -* nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0* +* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.1.0* +* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0* * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) diff --git a/docker-bake.hcl b/docker-bake.hcl index efb3d1f..7bd0a9a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -11,12 +11,12 @@ variable "modsec2-version" { variable "crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases - default = "4.1.0" + default = "4.2.0" } variable "nginx-version" { # renovate: depName=nginxinc/nginx-unprivileged datasource=docker - default = "1.25.3" + default = "1.26.0" } variable "httpd-version" {