Skip to content

Commit

Permalink
Merge pull request #171 from coreruleset/develop
Browse files Browse the repository at this point in the history
New image with latest changes
  • Loading branch information
fzipi authored Oct 17, 2023
2 parents c94b9d0 + 6a2c430 commit f032361
Show file tree
Hide file tree
Showing 9 changed files with 25 additions and 12 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/buildimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
variant: ["", "-alpine"]
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 1

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Check README-containers.md length
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
platform: [linux/amd64]
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 1

Expand Down
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,8 @@ docker run -p 8080:80 -e SERVER_NAME=myhost my-modsec
| REQ_HEADER_FORWARDED_PROTO | A string indicating the transfer protocol of the initial request (Default: `https`) |
| SERVER_ADMIN | A string value indicating the address where problems with the server should be e-mailed (Default: `root@localhost`) |
| SERVER_NAME | A string value indicating the server name (Default: `localhost`) |
| SERVER_SIGNATURE | A string value configuring the footer on server-generated documents (Allowed values: `On`, `Off`, `EMail`. Default: `Off`) |
| SERVER_TOKENS | Option defining the server information presented to clients in the `Server` HTTP response header. Also see `MODSEC_SERVER_SIGNATURE`. (Allowed values: `Full`, `Prod[uctOnly]`, `Major`, `Minor`, `Min[imal]`, `OS`. Default: `Full`). |
| SSL_CIPHER_SUITE | A string indicating the cipher suite to use. Uses OpenSSL [list of cipher suites](https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html) (Default: `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"` |
| SSL_ENGINE | A string indicating the SSL Engine Operation Switch (Default: `on`) |
| SSL_HONOR_CIPHER_ORDER | A string indicating if the server should [honor the cipher list provided by the client](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslhonorcipherorder) (Allowed values: `on`, `off`. Default: `off`) |
Expand Down Expand Up @@ -211,6 +213,7 @@ Note: Apache access and metric logs can be disabled by exporting the `nologging=
| PROXY_SSL_PROTOCOLS | A string value indicating the ssl protocols to enable (default: `TTLSv1.2 TLSv1.3`)|
| PROXY_SSL_VERIFY | A string value indicating if the client certificates should be verified (Allowed values: `on`, `off`. Default: `off`) |
| PROXY_TIMEOUT | Number of seconds for proxied requests to time out connections (Default: `60s`) |
| SERVER_TOKENS | A boolean value for enabling / disabling emission of server identifying information in the `Server` HTTP response header and on error pages. (Allowed values: `on`, `off`, `build`. Default: `off`). |
| SSL_PORT | Port number where the SSL enabled webserver is listening (Default: `443`) |
| TIMEOUT | Number of seconds for a keep-alive client connection to stay open on the server side (Default: `60s`) |
| WORKER_CONNECTIONS | Maximum number of simultaneous connections that can be opened by a worker process (Default: `1024`) |
Expand Down Expand Up @@ -243,6 +246,7 @@ All these variables impact in configuration directives in the modsecurity engine
| MODSEC_RESP_BODY_LIMIT_ACTION | A string value for the action when `SecResponseBodyLimit` is reached (Default: `ProcessPartial`). Accepted values: `Reject`, `ProcessPartial`. See [SecResponseBodyLimitAction](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secresponsebodylimitaction) for additional information. |
| MODSEC_RESP_BODY_MIMETYPE | A string with the list of mime types that will be analyzed in the response (Default: `'text/plain text/html text/xml'`). You might consider adding `application/json` documented [here](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-\(v2.x\)#secresponsebodymimetype). |
| MODSEC_RULE_ENGINE | A string value enabling ModSecurity itself (Default: `On`). Accepted values: `On`, `Off`, `DetectionOnly`. See [SecRuleEngine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secruleengine) for additional information. |
| MODSEC_SERVER_SIGNATURE | Sets the directive [SecServerSignature](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secserversignature) and instructs ModSecurity to change the data presented in the "Server:" response header token when Apache `ServerTokens` directive is set to `Full`. Also see Apache `SERVER_TOKENS`. Only supported in ModSecurity 2.x, will have not effect on 3.x. (Default: `Apache`). |
| MODSEC_STATUS_ENGINE | A string used to configure the status engine, which sends statistical information (Default: `Off`). Accepted values: `On`, `Off`. See [SecStatusEngine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecStatusEngine) for additional information. |
| MODSEC_TAG | A string indicating the default tag action, which will be inherited by the rules in the same configuration context (Default: `modsecurity`) |
| MODSEC_TMP_DIR | A string indicating the path where temporary files will be created (Default: `/tmp/modsecurity/tmp`) |
Expand Down
6 changes: 5 additions & 1 deletion apache/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
MODSEC_RESP_BODY_LIMIT_ACTION="ProcessPartial" \
MODSEC_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \
MODSEC_RULE_ENGINE=on \
MODSEC_SERVER_SIGNATURE="Apache" \
MODSEC_STATUS_ENGINE="Off" \
MODSEC_TAG=modsecurity \
MODSEC_TMP_DIR=/tmp/modsecurity/tmp \
Expand All @@ -118,6 +119,8 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
REQ_HEADER_FORWARDED_PROTO='https' \
SERVER_ADMIN=root@localhost \
SERVER_NAME=localhost \
SERVER_SIGNATURE=Off \
SERVER_TOKENS=Full \
SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
SSL_ENGINE=on \
SSL_HONOR_CIPHER_ORDER=off \
Expand Down Expand Up @@ -173,7 +176,8 @@ RUN set -eux; \
mkdir -p /var/log/apache2/; \
ln -s /opt/owasp-crs /etc/modsecurity.d/; \
sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \
sed -i -E 's|(ServerTokens) Full|\1 Prod|' /usr/local/apache2/conf/extra/httpd-default.conf; \
sed -i -E 's|(ServerTokens) Full|\1 ${SERVER_TOKENS}|' /usr/local/apache2/conf/extra/httpd-default.conf; \
sed -i -E 's|(ServerSignature) Off|\1 ${SERVER_SIGNATURE}|' /usr/local/apache2/conf/extra/httpd-default.conf; \
sed -i -E 's|#(ServerName) www.example.com:80|\1 ${SERVER_NAME}|' /usr/local/apache2/conf/httpd.conf; \
sed -i -E 's|(ServerAdmin) [email protected]|\1 ${SERVER_ADMIN}|' /usr/local/apache2/conf/httpd.conf; \
sed -i -E 's|^(\s*CustomLog)(\s+\S+)+|\1 ${ACCESSLOG} modsec "env=!nologging"|g' /usr/local/apache2/conf/httpd.conf; \
Expand Down
3 changes: 3 additions & 0 deletions apache/conf/extra/httpd-modsecurity.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ Timeout ${TIMEOUT}
LogLevel ${LOGLEVEL}
ErrorLog ${ERRORLOG}

# https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secserversignature
SecServerSignature ${MODSEC_SERVER_SIGNATURE}

<IfModule unixd_module>
User ${USER}
Group ${GROUP}
Expand Down
8 changes: 4 additions & 4 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ ARG NGINX_VERSION="1.24.0"

FROM nginx:${NGINX_VERSION} as build

ARG MODSEC_VERSION=3.0.8 \
ARG MODSEC_VERSION=3.0.10 \
LMDB_VERSION=0.9.29

# Note: libpcre3-dev (PCRE 1) is required by the build description,
Expand Down Expand Up @@ -95,7 +95,7 @@ RUN set -eux; \

FROM nginx:${NGINX_VERSION}

ARG MODSEC_VERSION=3.0.8 \
ARG MODSEC_VERSION=3.0.10 \
LMDB_VERSION=0.9.29

LABEL maintainer="Felipe Zipitria <[email protected]>"
Expand Down Expand Up @@ -152,6 +152,7 @@ ENV ACCESSLOG=/var/log/nginx/access.log \
PROXY_SSL_VERIFY=off \
PROXY_SSL_OCSP_STAPLING=off \
SERVER_NAME=localhost \
SERVER_TOKENS=off \
SSL_PORT=443 \
TIMEOUT=60s \
WORKER_CONNECTIONS=1024 \
Expand All @@ -177,8 +178,7 @@ COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.c
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
# We use the templating mechanism from the nginx image here,
# as set up by owasp/modsecurity-docker
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/

Expand Down
8 changes: 4 additions & 4 deletions nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ ARG NGINX_VERSION="1.24.0"

FROM nginx:${NGINX_VERSION}-alpine as build

ARG MODSEC_VERSION=3.0.9
ARG MODSEC_VERSION=3.0.10

# Note: pcre-dev (PCRE 1) is required by the build description,
# even though the build will use PCRE2.
Expand Down Expand Up @@ -90,7 +90,7 @@ RUN set -eux; \

FROM nginx:${NGINX_VERSION}-alpine

ARG MODSEC_VERSION=3.0.9
ARG MODSEC_VERSION=3.0.10

LABEL maintainer="Felipe Zipitria <[email protected]>"

Expand Down Expand Up @@ -146,6 +146,7 @@ ENV ACCESSLOG=/var/log/nginx/access.log \
PROXY_SSL_VERIFY=off \
PROXY_SSL_OCSP_STAPLING=off \
SERVER_NAME=localhost \
SERVER_TOKENS=off \
SSL_PORT=443 \
TIMEOUT=60s \
WORKER_CONNECTIONS=1024 \
Expand All @@ -165,8 +166,7 @@ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/
COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping
COPY --from=build /etc/modsecurity.d/modsecurity.conf /etc/modsecurity.d/modsecurity.conf
COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
# We use the templating mechanism from the nginx image here,
# as set up by owasp/modsecurity-docker
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
Expand Down
2 changes: 2 additions & 0 deletions nginx/templates/conf.d/default.conf.template
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Nginx configuration for both HTTP and SSL

server_tokens ${SERVER_TOKENS};

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
Expand Down

0 comments on commit f032361

Please sign in to comment.