Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: fix broken variables in nginx #247

Merged
merged 11 commits into from
May 6, 2024
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,12 @@ Examples:

## OS Variants

* nginx – *latest stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0*
* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0*
* [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
* [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
* Openresty - *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable OWASP CRS 4.1.0*
* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0*
* [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine)
* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.1.0*
* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0*
* [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)
* [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)

Expand Down Expand Up @@ -244,7 +244,7 @@ All these variables impact in configuration directives in the modsecurity engine
| MODSEC_AUDIT_LOG_RELEVANT_STATUS | A regular expression string that defines the http error codes that are relevant for audit logging (Default: `"^(?:5|4(?!04))"`). See [SecAuditLogRelevantStatus](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogrelevantstatus) |
| MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. |
| MODSEC_COOKIE_FORMAT | The cookie format used (Default: `0` use Netscape cookies) :warning: Do not touch unless you really know what you are doing. See [SecCookieFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat). |
| MODSEC_AUDIT_STORAGE | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) |
| MODSEC_AUDIT_STORAGE_DIR | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) |
| MODSEC_DATA_DIR | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) |
| MODSEC_DEBUG_LOG | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) |
| MODSEC_DEBUG_LOGLEVEL | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). |
Expand All @@ -271,7 +271,7 @@ All these variables impact in configuration directives in the modsecurity engine
| MODSEC_UNICODE_MAPPING | The unicode Code Point to use form the default file(Default: `20127`). See [SecUnicodeMapFile](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secunicodemapfile) |
| MODSEC_UPLOAD_DIR | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) |
| MODSEC_UPLOAD_FILE_MODE | (Default: `0600`) |
| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly`) Accepted values: `On`, `Off`, `RelevantOnly`. See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles)
| MODSEC_UPLOAD_KEEP_FILES | Configures whether or not the intercepted files will be kept after transaction is processed. (Default: `RelevantOnly` on Apache, `Off` on nginx) Accepted values: `On`, `Off`, `RelevantOnly` (only modsec2). See [SecUploadKeepFiles](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secuploadkeepfiles) and [libmodsecurity3](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#secuploadkeepfiles)

### CRS specific

Expand Down
2 changes: 1 addition & 1 deletion apache/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ ENV \
MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
MODSEC_AUDIT_LOG_TYPE=Serial \
MODSEC_COOKIE_FORMAT=0 \
MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
MODSEC_DATA_DIR=/tmp/modsecurity/data \
MODSEC_DEBUG_LOG=/dev/null \
MODSEC_DEBUG_LOGLEVEL=0 \
Expand Down
2 changes: 1 addition & 1 deletion apache/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ ENV \
MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
MODSEC_AUDIT_LOG_TYPE=Serial \
MODSEC_COOKIE_FORMAT=0 \
MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
MODSEC_DATA_DIR=/tmp/modsecurity/data \
MODSEC_DEBUG_LOG=/dev/null \
MODSEC_DEBUG_LOGLEVEL=0 \
Expand Down
6 changes: 3 additions & 3 deletions docker-bake.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ variable "modsec2-version" {

variable "crs-version" {
# renovate: depName=coreruleset/coreruleset datasource=github-releases
default = "4.1.0"
default = "4.2.0"
}

variable "nginx-version" {
# renovate: depName=nginxinc/nginx-unprivileged datasource=docker
default = "1.25.3"
default = "1.26.0"
}

variable "httpd-version" {
Expand Down Expand Up @@ -179,7 +179,7 @@ target "openresty-alpine-fat" {
dockerfile="openresty/Dockerfile-alpine"
args = {
OPENRESTY_VERSION = "${openresty-version}"
NGINX_VERSION = "${nginx-version}"
NGINX_VERSION = patch(openresty-version)
LUA_MODULES = join(" ", lua-modules-luarocks)
}
tags = concat(tag("openresty-alpine-fat"),
Expand Down
5 changes: 3 additions & 2 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -131,12 +131,13 @@ ENV \
MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
MODSEC_AUDIT_LOG_TYPE=Serial \
MODSEC_COOKIE_FORMAT=0 \
MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
MODSEC_DATA_DIR=/tmp/modsecurity/data \
MODSEC_DEBUG_LOG=/dev/null \
MODSEC_DEBUG_LOGLEVEL=0 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
MODSEC_PCRE_MATCH_LIMIT=100000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
MODSEC_REQ_BODY_ACCESS=on \
Expand All @@ -156,7 +157,7 @@ ENV \
MODSEC_UNICODE_MAPPING=20127 \
MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
MODSEC_UPLOAD_FILE_MODE=0600 \
MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
MODSEC_UPLOAD_KEEP_FILES=Off \
NGINX_ALWAYS_TLS_REDIRECT=off \
NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \
PORT=8080 \
Expand Down
5 changes: 3 additions & 2 deletions nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -125,12 +125,13 @@ ENV \
MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
MODSEC_AUDIT_LOG_TYPE=Serial \
MODSEC_COOKIE_FORMAT=0 \
MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
MODSEC_DATA_DIR=/tmp/modsecurity/data \
MODSEC_DEBUG_LOG=/dev/null \
MODSEC_DEBUG_LOGLEVEL=0 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
MODSEC_PCRE_MATCH_LIMIT=100000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
MODSEC_REQ_BODY_ACCESS=on \
Expand All @@ -150,7 +151,7 @@ ENV \
MODSEC_UNICODE_MAPPING=20127 \
MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
MODSEC_UPLOAD_FILE_MODE=0600 \
MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
MODSEC_UPLOAD_KEEP_FILES=Off \
NGINX_ALWAYS_TLS_REDIRECT=off \
NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \
PORT=8080 \
Expand Down
7 changes: 4 additions & 3 deletions openresty/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ RUN set -eux; \
RUN set -eux; \
git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \
cd ./openresty-"${OPENRESTY_VERSION}"/bundle/nginx-${NGINX_VERSION}; \
cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \
export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \
export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \
COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \
Expand Down Expand Up @@ -135,12 +135,13 @@ ENV \
MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
MODSEC_AUDIT_LOG_TYPE=Serial \
MODSEC_COOKIE_FORMAT=0 \
MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
MODSEC_DATA_DIR=/tmp/modsecurity/data \
MODSEC_DEBUG_LOG=/dev/null \
MODSEC_DEBUG_LOGLEVEL=0 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \
MODSEC_PCRE_MATCH_LIMIT=100000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
MODSEC_REQ_BODY_ACCESS=on \
Expand All @@ -160,7 +161,7 @@ ENV \
MODSEC_UNICODE_MAPPING=20127 \
MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
MODSEC_UPLOAD_FILE_MODE=0600 \
MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
MODSEC_UPLOAD_KEEP_FILES=Off \
NGINX_ALWAYS_TLS_REDIRECT=off \
NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \
PORT=80 \
Expand Down
12 changes: 12 additions & 0 deletions renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,18 @@
],
"depNameTemplate": "coreruleset/coreruleset",
"datasourceTemplate": "github-releases"
},
{
"description": "Docs: OpenResty",
"customType": "regex",
"fileMatch": [
"^README\\.md$"
],
"matchStrings": [
"OpenResty (?<currentValue>\\d+\\.\\d+\\.\\d+(\\.\\d+)?)"
],
"depNameTemplate": "openresty/openresty",
"datasourceTemplate": "docker"
}
]
}