From dcaf2b9152980c56f120b1804a00ff8ea6aa0b32 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 12 Dec 2024 14:07:37 -0300 Subject: [PATCH 01/10] chore: build more_headers module Signed-off-by: Felipe Zipitria --- nginx/Dockerfile | 10 ++++++---- nginx/Dockerfile-alpine | 12 ++++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 3b4c493..fb2a9af 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -54,16 +54,17 @@ RUN set -eux; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* -# We use master +# Build modules RUN set -eux; \ git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ + git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx; \ + ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-module=../headers-more-nginx-module; \ make modules; \ - strip objs/ngx_http_modsecurity_module.so; \ - cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/; \ + strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ + cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -198,6 +199,7 @@ ENV \ COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so +COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so COPY --from=build /usr/local/lib/liblmdb.so /usr/local/lib/ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 069eded..2c8f372 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -51,14 +51,17 @@ RUN set -eux; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* -# We use master + # Build modules RUN set -eux; \ git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - curl -sSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | tar -xzf -; \ + git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ + curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ + tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx; \ + ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-module=../headers-more-nginx-module; \ make modules; \ - cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/; \ + strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ + cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -192,6 +195,7 @@ ENV \ COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so +COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs From 058488ef77a353e780525692ccb43e5a85b9ca77 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 12 Dec 2024 14:09:18 -0300 Subject: [PATCH 02/10] fix: insert cors back Signed-off-by: Felipe Zipitria --- README.md | 10 ++++------ nginx/templates/conf.d/default.conf.template | 3 +-- nginx/templates/nginx.conf.template | 3 +-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7f7730e..4f41a14 100644 --- a/README.md +++ b/README.md @@ -202,14 +202,12 @@ These variables are common to image variants and will set defaults based on the ### Nginx ENV Variables - - - | Name | Description| | -------- | ------------------------------------------------------------------- | +| CORS_HEADER_403_ALLOW_ORIGIN | The value of the [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header for `403` responses. Determines which origins can access the response. (Default: `"*"`). | +| CORS_HEADER_403_ALLOW_METHODS | The value of the [Access-Control-Request-Method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method) header for `403` responses. Determines the allowed request methods for the resource. Default: `"GET, POST, PUT, DELETE, OPTIONS"` | +| CORS_HEADER_403_CONTENT_TYPE | The value of the `Content-Type` header for `403` responses. Default: (`"text/plain"`) | +| CORS_HEADER_403_MAX_AGE | The value of the [Access-Control-Max-Age](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age) header for `403` responses. The number of seconds that preflight requests for this resource may be cached by the browser. (Default: `3600`) | | DNS_SERVER | A string indicating the name servers used to resolve names of upstream servers into addresses. For localhost backend this value should not be defined (Default: _not defined_) | | KEEPALIVE_TIMEOUT | Number of seconds for a keep-alive client connection to stay open on the server side (Default: `60s`) | | NGINX_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) | diff --git a/nginx/templates/conf.d/default.conf.template b/nginx/templates/conf.d/default.conf.template index 0ca4d73..976f262 100644 --- a/nginx/templates/conf.d/default.conf.template +++ b/nginx/templates/conf.d/default.conf.template @@ -62,8 +62,7 @@ server { location / { client_max_body_size 0; - # temporarily disabled, since the upstream image doesn't include the required module - # include includes/cors.conf; + include includes/cors.conf; include includes/proxy_backend.conf; index index.html index.htm; diff --git a/nginx/templates/nginx.conf.template b/nginx/templates/nginx.conf.template index 6392a38..53f0c27 100644 --- a/nginx/templates/nginx.conf.template +++ b/nginx/templates/nginx.conf.template @@ -1,7 +1,6 @@ load_module modules/ngx_http_modsecurity_module.so; # allows to add cors headers when replying with 403 -# temporarily disabled, since the upstream image doesn't include the module -# load_module modules/ngx_http_headers_more_filter_module.so; +load_module modules/ngx_http_headers_more_filter_module.so; worker_processes auto; pid /tmp/nginx.pid; From 96e82f3957ce45a8a2a71c1ea83cd1dd4284074d Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 12 Dec 2024 16:27:06 -0300 Subject: [PATCH 03/10] fix: use dynamic module instead Signed-off-by: Felipe Zipitria --- nginx/Dockerfile | 2 +- nginx/Dockerfile-alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index fb2a9af..bed950a 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -61,7 +61,7 @@ RUN set -eux; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-module=../headers-more-nginx-module; \ + ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ make modules; \ strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 2c8f372..08a82af 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -58,7 +58,7 @@ RUN set -eux; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-module=../headers-more-nginx-module; \ + ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ make modules; \ strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ From 7ceca3ddc6bde46e2ce5e796e146dcf7c259ea6c Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Fri, 13 Dec 2024 12:56:58 -0300 Subject: [PATCH 04/10] fix: update more_set_headers syntax Signed-off-by: Felipe Zipitria --- nginx/templates/includes/cors.conf.template | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nginx/templates/includes/cors.conf.template b/nginx/templates/includes/cors.conf.template index 1cce89e..c03d36d 100644 --- a/nginx/templates/includes/cors.conf.template +++ b/nginx/templates/includes/cors.conf.template @@ -1,5 +1,5 @@ -more_set_headers -s 403 'Content-Type' '${CORS_HEADER_403_CONTENT_TYPE}'; -more_set_headers -s 403 'Access-Control-Allow-Origin' '${CORS_HEADER_403_ALLOW_ORIGIN}'; -more_set_headers -s 403 'Access-Control-Max-Age' '${CORS_HEADER_403_MAX_AGE}'; -more_set_headers -s 403 'Access-Control-Allow-Methods' '${CORS_HEADER_403_ALLOW_METHODS}'; -more_set_headers 'Access-Control-Allow-Headers' '${CORS_HEADER_ACCESS_CONTROL_ALLOW_HEADERS}'; +more_set_headers -s 403 'Content-Type: ${CORS_HEADER_403_CONTENT_TYPE}'; +more_set_headers -s 403 'Access-Control-Allow-Origin: ${CORS_HEADER_403_ALLOW_ORIGIN}'; +more_set_headers -s 403 'Access-Control-Max-Age: ${CORS_HEADER_403_MAX_AGE}'; +more_set_headers -s 403 'Access-Control-Allow-Methods: ${CORS_HEADER_403_ALLOW_METHODS}'; +more_set_headers 'Access-Control-Allow-Headers: ${CORS_HEADER_ACCESS_CONTROL_ALLOW_HEADERS}'; From 0fd52be9d21c320b7a8d8cd33a0bb7e974eb4cbd Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Fri, 13 Dec 2024 13:34:26 -0300 Subject: [PATCH 05/10] fix: add headers to http + tests Signed-off-by: Felipe Zipitria --- .github/workflows/verifyimage.yml | 8 ++++++++ nginx/templates/conf.d/default.conf.template | 1 + 2 files changed, 9 insertions(+) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 7906d1b..3174b9f 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -78,3 +78,11 @@ jobs: - name: Verify ${{ matrix.target }} run: | [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] + if "${{ matrix.target }}" == "nginx" ; then + curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd + grep -q "HTTP/1.1 403 Forbidden" headers.txt + grep -q "Access-Control-Allow-Origin: *" headers.txt + grep -q "Access-Control-Max-Age: 3600" headers.txt + grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt + grep -q "Access-Control-Allow-Headers: *" headers.txt + fi diff --git a/nginx/templates/conf.d/default.conf.template b/nginx/templates/conf.d/default.conf.template index 976f262..7f25d71 100644 --- a/nginx/templates/conf.d/default.conf.template +++ b/nginx/templates/conf.d/default.conf.template @@ -23,6 +23,7 @@ server { return 301 https://$host$request_uri; } + include includes/cors.conf; include includes/proxy_backend.conf; index index.html index.htm; From a7d160acf40e7d5e89f0d48b9b5e1be4cdc8617b Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 29 Dec 2024 16:46:05 -0300 Subject: [PATCH 06/10] feat: add nginx modules as parameter Signed-off-by: Felipe Zipitria --- .github/workflows/verifyimage.yml | 2 +- docker-bake.hcl | 8 ++++++++ nginx/Dockerfile | 18 +++++++++++------- nginx/Dockerfile-alpine | 17 ++++++++++------- 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 3174b9f..7467a4e 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -78,7 +78,7 @@ jobs: - name: Verify ${{ matrix.target }} run: | [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] - if "${{ matrix.target }}" == "nginx" ; then + if grep -q "nginx <<< ${{ matrix.target }}" ; then curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd grep -q "HTTP/1.1 403 Forbidden" headers.txt grep -q "Access-Control-Allow-Origin: *" headers.txt diff --git a/docker-bake.hcl b/docker-bake.hcl index 9553a67..a5d636e 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -55,6 +55,14 @@ variable "REPOS" { ] } +variable "nginx-dynamic-modules" { + # List of dynamic modules to include in the nginx build + default = [ + "owasp-modsecurity/ModSecurity-nginx", + "openresty/headers-more-nginx-module" + ] +} + function "major" { params = [version] result = split(".", version)[0] diff --git a/nginx/Dockerfile b/nginx/Dockerfile index bed950a..ced432a 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -5,6 +5,7 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build ARG MODSEC3_VERSION="n/a" ARG LMDB_VERSION="n/a" ARG LUA_VERSION="n/a" +ARG NGINX_DYNAMIC_MODULES="n/a" USER root @@ -56,15 +57,19 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ + for module in ${NGINX_DYNAMIC_MODULES}; \ + do; \ + repo=$(awk -F'/' '{print $2}' <<< $module); \ + git clone -b master --depth 1 https://github.com/${module}.git; \ + modules=+("--add-dynamic-module=../${repo}"); \ + done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ + ./configure --with-compat ${modules[@]} ;\ make modules; \ - strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ - cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ + strip objs/*.so; \ + cp objs/*.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -198,8 +203,7 @@ ENV \ BLOCKING_PARANOIA=1 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ -COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so -COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so +COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/ COPY --from=build /usr/local/lib/liblmdb.so /usr/local/lib/ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 08a82af..2a2fc34 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -53,15 +53,19 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ + for module in ${NGINX_DYNAMIC_MODULES}; \ + do; \ + repo=$(awk -F'/' '{print $2}' <<< $module); \ + git clone -b master --depth 1 https://github.com/${module}.git; \ + modules=+("--add-dynamic-module=../${repo}"); \ + done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ + ./configure --with-compat ${modules[@]} ;\ make modules; \ - strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ - cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ + strip objs/*.so; \ + cp objs/*.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -194,8 +198,7 @@ ENV \ BLOCKING_PARANOIA=1 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ -COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so -COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so +COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs From 369b124d2ec91141801c21a6291add43c047074b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Mon, 30 Dec 2024 05:57:20 -0300 Subject: [PATCH 07/10] Apply suggestions from code review Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com> --- .github/workflows/verifyimage.yml | 2 +- nginx/Dockerfile | 7 ++++--- nginx/Dockerfile-alpine | 7 ++++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 7467a4e..9de7b95 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -78,7 +78,7 @@ jobs: - name: Verify ${{ matrix.target }} run: | [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] - if grep -q "nginx <<< ${{ matrix.target }}" ; then + if grep -q "nginx "<<< "${{ matrix.target }}"; then curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd grep -q "HTTP/1.1 403 Forbidden" headers.txt grep -q "Access-Control-Allow-Origin: *" headers.txt diff --git a/nginx/Dockerfile b/nginx/Dockerfile index ced432a..98f146a 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -57,16 +57,17 @@ RUN set -eux; \ # Build modules RUN set -eux; \ + declare -a modules; \ for module in ${NGINX_DYNAMIC_MODULES}; \ do; \ - repo=$(awk -F'/' '{print $2}' <<< $module); \ + repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ git clone -b master --depth 1 https://github.com/${module}.git; \ - modules=+("--add-dynamic-module=../${repo}"); \ + modules+=("--add-dynamic-module=../${repo}"); \ done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat ${modules[@]} ;\ + ./configure --with-compat ${modules[@]}; \ make modules; \ strip objs/*.so; \ cp objs/*.so /etc/nginx/modules/; \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 2a2fc34..3d7981c 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -53,16 +53,17 @@ RUN set -eux; \ # Build modules RUN set -eux; \ + declare -a modules; for module in ${NGINX_DYNAMIC_MODULES}; \ do; \ - repo=$(awk -F'/' '{print $2}' <<< $module); \ + repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ git clone -b master --depth 1 https://github.com/${module}.git; \ - modules=+("--add-dynamic-module=../${repo}"); \ + modules+=("--add-dynamic-module=../${repo}"); \ done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat ${modules[@]} ;\ + ./configure --with-compat ${modules[@]};\ make modules; \ strip objs/*.so; \ cp objs/*.so /etc/nginx/modules/; \ From 7d8dc680c86be85cbedfccc08e25bdcbab0bc9b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Mon, 30 Dec 2024 08:34:18 -0300 Subject: [PATCH 08/10] Apply suggestions from code review Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com> --- nginx/Dockerfile-alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 3d7981c..0437c8d 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -53,7 +53,7 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - declare -a modules; + declare -a modules; \ for module in ${NGINX_DYNAMIC_MODULES}; \ do; \ repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ From b93c6ff23bda3e6f378a29fc3385b69205410ce0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Thu, 2 Jan 2025 08:03:12 -0300 Subject: [PATCH 09/10] Apply suggestions from code review --- nginx/Dockerfile | 2 +- nginx/Dockerfile-alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 98f146a..e963880 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -59,7 +59,7 @@ RUN set -eux; \ RUN set -eux; \ declare -a modules; \ for module in ${NGINX_DYNAMIC_MODULES}; \ - do; \ + do \ repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ git clone -b master --depth 1 https://github.com/${module}.git; \ modules+=("--add-dynamic-module=../${repo}"); \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 0437c8d..fa4ef27 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -55,7 +55,7 @@ RUN set -eux; \ RUN set -eux; \ declare -a modules; \ for module in ${NGINX_DYNAMIC_MODULES}; \ - do; \ + do \ repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ git clone -b master --depth 1 https://github.com/${module}.git; \ modules+=("--add-dynamic-module=../${repo}"); \ From fbf5a0b7b6fc6332e8b07536d4197bf08fa2b467 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 4 Jan 2025 10:30:16 -0300 Subject: [PATCH 10/10] fix: add nginx dynamic modules as variable Signed-off-by: Felipe Zipitria --- docker-bake.hcl | 6 ++++-- nginx/Dockerfile | 13 +++++++------ nginx/Dockerfile-alpine | 11 ++++++----- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index a5d636e..e7c6cb5 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -147,8 +147,9 @@ target "nginx" { inherits = ["platforms-base"] dockerfile="nginx/Dockerfile" args = { - NGINX_VERSION = "${nginx-version}" LUA_MODULES = join(" ", lua-modules-debian) + NGINX_VERSION = "${nginx-version}" + NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules) } tags = concat(tag("nginx"), vtag("${crs-version}", "nginx") @@ -159,8 +160,9 @@ target "nginx-alpine" { inherits = ["platforms-base"] dockerfile="nginx/Dockerfile-alpine" args = { - NGINX_VERSION = "${nginx-version}" LUA_MODULES = join(" ", lua-modules-alpine) + NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules) + NGINX_VERSION = "${nginx-version}" } tags = concat(tag("nginx-alpine"), vtag("${crs-version}", "nginx-alpine") diff --git a/nginx/Dockerfile b/nginx/Dockerfile index e963880..ba662a6 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -44,6 +44,7 @@ RUN set -eux; \ make -C lmdb/libraries/liblmdb install; \ strip /usr/local/lib/liblmdb*.so* + RUN set -eux; \ git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC3_VERSION}" --depth 1 --recursive; \ cd ModSecurity; \ @@ -57,17 +58,17 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - declare -a modules; \ + modules=""; \ for module in ${NGINX_DYNAMIC_MODULES}; \ do \ - repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ - git clone -b master --depth 1 https://github.com/${module}.git; \ - modules+=("--add-dynamic-module=../${repo}"); \ + repo=$(echo "${module}" | awk -F'/' '{print $2}'); \ + git clone -b master --depth 1 "https://github.com/${module}.git" ; \ + modules="${modules} --add-dynamic-module=../${repo}"; \ done; \ - curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ + curl -sSL "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat ${modules[@]}; \ + ./configure --with-compat ${modules}; \ make modules; \ strip objs/*.so; \ cp objs/*.so /etc/nginx/modules/; \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index fa4ef27..6779e59 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -4,6 +4,7 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS build ARG MODSEC3_VERSION="n/a" ARG LUA_VERSION="n/a" +ARG NGINX_DYNAMIC_MODULES="n/a" USER root @@ -53,17 +54,17 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - declare -a modules; \ + modules=""; \ for module in ${NGINX_DYNAMIC_MODULES}; \ do \ - repo=$(awk -F'/' '{print $2}' <<< "${module}"); \ - git clone -b master --depth 1 https://github.com/${module}.git; \ - modules+=("--add-dynamic-module=../${repo}"); \ + repo=$(echo "${module}" | awk -F'/' '{print $2}'); \ + git clone -b master --depth 1 "https://github.com/${module}.git" ; \ + modules="${modules} --add-dynamic-module=../${repo}"; \ done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat ${modules[@]};\ + ./configure --with-compat ${modules}; \ make modules; \ strip objs/*.so; \ cp objs/*.so /etc/nginx/modules/; \