binaryanomaly/Dockerfile

## Dockerfile
# ModSecurity BUILD Container

FROM debian:stretch-slim AS modsecurity-build

ENV DEBIAN_FRONTEND noninteractive

# ------------------------------------------------------------------------------


RUN set -eux && \
    apt update && \
    apt dist-upgrade -y
RUN apt install --no-install-recommends --no-install-suggests -y \
    ca-certificates autoconf automake build-essential cmake \
    libtool libpcre3-dev libxml2-dev libcurl4-openssl-dev pkgconf wget gawk git
    # liblmdb-dev libgeoip-dev libyajl-dev

RUN mkdir /tmp/build/

# GeoIP
RUN cd /tmp/build && git clone --recursive https://github.com/maxmind/geoip-api-c
RUN cd /tmp/build/geoip-api-c && ./bootstrap && ./configure && make && make install
RUN strip /usr/local/lib/libGeoIP.so.1

# yajl
RUN cd /tmp/build && git clone https://github.com/lloyd/yajl.git
RUN cd /tmp/build/yajl && ./configure && make install
RUN strip /usr/local/lib/libyajl*


# ModSecurity
RUN cd /tmp/build && \
    git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && \
    cd ModSecurity && \
    git submodule init && \
    git submodule update
RUN cd /tmp/build/ModSecurity/ && ./build.sh
RUN cd /tmp/build/ModSecurity/ && \
    ./configure \
        --enable-static \
        --with-geoip=/tmp/build/geoip-api-c/libGeoIP \
        --with-yajl=/tmp/build/yajl/build/yajl-2.1.1 \
        --disable-examples \
        --disable-doxygen-html \
        --disable-doxygen-doc \
        --disable-debug-logs
RUN cd /tmp/build/ModSecurity/ && make
RUN cd /tmp/build/ModSecurity/ && make install
RUN strip /usr/local/modsecurity/bin/* /usr/local/modsecurity/lib/*.a /usr/local/modsecurity/lib/*.so*


# OWASP ModSecurity CRS
RUN cd /usr/local/ && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
RUN cd /usr/local/owasp-modsecurity-crs && cp crs-setup.conf.example crs-setup.conf
# Deactivate unsupported setting
RUN sed -i 's/SecCollectionTimeout 600/#SecCollectionTimeout 600/' /usr/local/owasp-modsecurity-crs/crs-setup.conf


# ==============================================================================


# NGiNX BUILD Container

FROM debian:stretch-slim AS nginx-build

ENV DEBIAN_FRONTEND noninteractive
ENV NGINX_VERSION 1.13.9
ENV OPENSSL_VERSION 1.1.1-pre3
# 1.1.0g
ENV PCRE_VERSION 8.41
ENV ZLIB_VERSION 1.2.11

# ------------------------------------------------------------------------------


RUN set -x
RUN apt update
RUN apt dist-upgrade -y
RUN apt install --no-install-recommends --no-install-suggests -y \
    ca-certificates autoconf automake build-essential   \
    libtool pkgconf wget gawk git zlib-dev \
    libpcre3-dev libxml2-dev libcurl4-openssl-dev

RUN mkdir /tmp/build/

# OpenSSL
RUN wget -q -P /tmp/build https://www.openssl.org/source/openssl-"$OPENSSL_VERSION".tar.gz
RUN tar xvzf /tmp/build/openssl-"$OPENSSL_VERSION".tar.gz -C /tmp/build

# Brotli
RUN set -eux && \
    cd /tmp/build && \
    git clone https://github.com/google/ngx_brotli.git && \
    cd ngx_brotli && \
    git submodule update --init --recursive

# headers more nginx module
RUN wget -q -P /tmp/build https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz
RUN tar xvzf /tmp/build/v0.33.tar.gz -C /tmp/build

# ModSecurity nginx connector
RUN cd /tmp/build && \
    git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

# ModSecurity libraries
COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/
COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/
COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/

# NGiNX
RUN wget -q -P /tmp/build https://nginx.org/download/nginx-"$NGINX_VERSION".tar.gz
RUN tar xvzf /tmp/build/nginx-"$NGINX_VERSION".tar.gz -C /tmp/build

RUN cd /tmp/build/nginx-"$NGINX_VERSION" && \
    ./configure \
            --prefix=/usr/local/nginx \
            --sbin-path=/usr/local/nginx/nginx \
            --modules-path=/usr/local/nginx/modules \
            --conf-path=/etc/nginx/nginx.conf \
            --error-log-path=/var/log/nginx/error.log \
            --http-log-path=/var/log/nginx/access.log \
            --pid-path=/run/nginx.pid \
            --lock-path=/var/lock/nginx.lock \
            --user=www-data \
            --group=www-data \
            --build='TLS v1.3, OpenSSL 1.1.1-pre3, PCRE 8.41, ZLIB 1.2.11' \
            --with-openssl=../openssl-"$OPENSSL_VERSION" \
            --with-openssl-opt=enable-ec_nistp_64_gcc_128 \
            --with-openssl-opt=no-nextprotoneg \
            --with-openssl-opt=no-weak-ssl-ciphers \
            --with-openssl-opt=no-ssl3 \
            --with-openssl-opt='enable-tls1_3' \
            --with-pcre-jit \
            --with-file-aio \
            --with-threads \
            --with-http_addition_module \
            --with-http_auth_request_module \
            --with-http_flv_module \
            --with-http_gunzip_module \
            --with-http_gzip_static_module \
            --with-http_mp4_module \
            --with-http_random_index_module \
            --with-http_realip_module \
            --with-http_slice_module \
            --with-http_ssl_module \
            --with-http_sub_module \
            --with-http_stub_status_module \
            --with-http_v2_module \
            --with-http_secure_link_module \
            --with-stream \
            --with-stream_realip_module \
            --with-stream_ssl_module \
            --with-stream_ssl_preread_module \
            --add-module=/tmp/build/ngx_brotli \
            --add-module=/tmp/build/headers-more-nginx-module-0.33 \
            --add-module=/tmp/build/ModSecurity-nginx \
            --with-cc-opt='-g -O2 -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
            --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
            --with-http_dav_module \
            && \

    # OpenSSL 1.1.1 fix - https://github.com/openssl/openssl/issues/3884
    gawk -i inplace \
       '/pthread/ { sub(/-lpthread /, ""); sub(/-lpthread /, ""); sub(/\\/, "-lpthread \\"); print } ! /pthread/ { print }' \
        "objs/Makefile" && \
    make && \
    make install && \
    make modules && \
    strip /usr/local/nginx/nginx


# NGiNX Create log dirs
RUN mkdir -p /var/log/nginx/
RUN touch /var/log/nginx/access.log
RUN touch /var/log/nginx/error.log

# NGiNX forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
    ln -sf /dev/stderr /var/log/nginx/error.log

COPY nginx_orig.conf /etc/nginx/nginx.conf


EXPOSE 80

STOPSIGNAL SIGTERM

CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"]

# ==============================================================================


FROM debian:stretch-slim

ENV DEBIAN_FRONTEND noninteractive

# ------------------------------------------------------------------------------


# Libraries for ModSecurity
RUN apt update && \
    apt-get install --no-install-recommends --no-install-suggests -y \
    ca-certificates libcurl3 libxml2 && \
    # apt-utils libgeoip1 libyajl2
    apt clean && \
    rm -rf /var/lib/apt/lists/*

# ModSecurity libraries
COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/
COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/
COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/
RUN ldconfig
COPY --from=modsecurity-build /usr/local/owasp-modsecurity-crs /usr/local/owasp-modsecurity-crs


# NGiNX binary
COPY --from=nginx-build /usr/local/nginx/nginx /usr/local/nginx/nginx

# NGiNX vanilla config
COPY --from=nginx-build /etc/nginx /etc/nginx

# NGiNX vanillahtml
COPY --from=nginx-build /usr/local/nginx/html /usr/local/nginx/html

# NGiNX Create log dirs
RUN mkdir -p /var/log/nginx/
RUN touch /var/log/nginx/access.log
RUN touch /var/log/nginx/error.log

# NGiNX Forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
    ln -sf /dev/stderr /var/log/nginx/error.log

EXPOSE 80

STOPSIGNAL SIGTERM

CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"]
	# ModSecurity BUILD Container

	FROM debian:stretch-slim AS modsecurity-build

	ENV DEBIAN_FRONTEND noninteractive

	# ------------------------------------------------------------------------------


	RUN set -eux && \
	apt update && \
	apt dist-upgrade -y
	RUN apt install --no-install-recommends --no-install-suggests -y \
	ca-certificates autoconf automake build-essential cmake \
	libtool libpcre3-dev libxml2-dev libcurl4-openssl-dev pkgconf wget gawk git
	# liblmdb-dev libgeoip-dev libyajl-dev

	RUN mkdir /tmp/build/

	# GeoIP
	RUN cd /tmp/build && git clone --recursive https://github.com/maxmind/geoip-api-c
	RUN cd /tmp/build/geoip-api-c && ./bootstrap && ./configure && make && make install
	RUN strip /usr/local/lib/libGeoIP.so.1

	# yajl
	RUN cd /tmp/build && git clone https://github.com/lloyd/yajl.git
	RUN cd /tmp/build/yajl && ./configure && make install
	RUN strip /usr/local/lib/libyajl*


	# ModSecurity
	RUN cd /tmp/build && \
	git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && \
	cd ModSecurity && \
	git submodule init && \
	git submodule update
	RUN cd /tmp/build/ModSecurity/ && ./build.sh
	RUN cd /tmp/build/ModSecurity/ && \
	./configure \
	--enable-static \
	--with-geoip=/tmp/build/geoip-api-c/libGeoIP \
	--with-yajl=/tmp/build/yajl/build/yajl-2.1.1 \
	--disable-examples \
	--disable-doxygen-html \
	--disable-doxygen-doc \
	--disable-debug-logs
	RUN cd /tmp/build/ModSecurity/ && make
	RUN cd /tmp/build/ModSecurity/ && make install
	RUN strip /usr/local/modsecurity/bin/* /usr/local/modsecurity/lib/.a /usr/local/modsecurity/lib/.so*


	# OWASP ModSecurity CRS
	RUN cd /usr/local/ && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
	RUN cd /usr/local/owasp-modsecurity-crs && cp crs-setup.conf.example crs-setup.conf
	# Deactivate unsupported setting
	RUN sed -i 's/SecCollectionTimeout 600/#SecCollectionTimeout 600/' /usr/local/owasp-modsecurity-crs/crs-setup.conf





	# ==============================================================================


	# NGiNX BUILD Container

	FROM debian:stretch-slim AS nginx-build

	ENV DEBIAN_FRONTEND noninteractive
	ENV NGINX_VERSION 1.13.9
	ENV OPENSSL_VERSION 1.1.1-pre3
	# 1.1.0g
	ENV PCRE_VERSION 8.41
	ENV ZLIB_VERSION 1.2.11

	# ------------------------------------------------------------------------------


	RUN set -x
	RUN apt update
	RUN apt dist-upgrade -y
	RUN apt install --no-install-recommends --no-install-suggests -y \
	ca-certificates autoconf automake build-essential \
	libtool pkgconf wget gawk git zlib-dev \
	libpcre3-dev libxml2-dev libcurl4-openssl-dev

	RUN mkdir /tmp/build/

	# OpenSSL
	RUN wget -q -P /tmp/build https://www.openssl.org/source/openssl-"$OPENSSL_VERSION".tar.gz
	RUN tar xvzf /tmp/build/openssl-"$OPENSSL_VERSION".tar.gz -C /tmp/build

	# Brotli
	RUN set -eux && \
	cd /tmp/build && \
	git clone https://github.com/google/ngx_brotli.git && \
	cd ngx_brotli && \
	git submodule update --init --recursive

	# headers more nginx module
	RUN wget -q -P /tmp/build https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz
	RUN tar xvzf /tmp/build/v0.33.tar.gz -C /tmp/build

	# ModSecurity nginx connector
	RUN cd /tmp/build && \
	git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

	# ModSecurity libraries
	COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/
	COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/
	COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/

	# NGiNX
	RUN wget -q -P /tmp/build https://nginx.org/download/nginx-"$NGINX_VERSION".tar.gz
	RUN tar xvzf /tmp/build/nginx-"$NGINX_VERSION".tar.gz -C /tmp/build

	RUN cd /tmp/build/nginx-"$NGINX_VERSION" && \
	./configure \
	--prefix=/usr/local/nginx \
	--sbin-path=/usr/local/nginx/nginx \
	--modules-path=/usr/local/nginx/modules \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-log-path=/var/log/nginx/access.log \
	--pid-path=/run/nginx.pid \
	--lock-path=/var/lock/nginx.lock \
	--user=www-data \
	--group=www-data \
	--build='TLS v1.3, OpenSSL 1.1.1-pre3, PCRE 8.41, ZLIB 1.2.11' \
	--with-openssl=../openssl-"$OPENSSL_VERSION" \
	--with-openssl-opt=enable-ec_nistp_64_gcc_128 \
	--with-openssl-opt=no-nextprotoneg \
	--with-openssl-opt=no-weak-ssl-ciphers \
	--with-openssl-opt=no-ssl3 \
	--with-openssl-opt='enable-tls1_3' \
	--with-pcre-jit \
	--with-file-aio \
	--with-threads \
	--with-http_addition_module \
	--with-http_auth_request_module \
	--with-http_flv_module \
	--with-http_gunzip_module \
	--with-http_gzip_static_module \
	--with-http_mp4_module \
	--with-http_random_index_module \
	--with-http_realip_module \
	--with-http_slice_module \
	--with-http_ssl_module \
	--with-http_sub_module \
	--with-http_stub_status_module \
	--with-http_v2_module \
	--with-http_secure_link_module \
	--with-stream \
	--with-stream_realip_module \
	--with-stream_ssl_module \
	--with-stream_ssl_preread_module \
	--add-module=/tmp/build/ngx_brotli \
	--add-module=/tmp/build/headers-more-nginx-module-0.33 \
	--add-module=/tmp/build/ModSecurity-nginx \
	--with-cc-opt='-g -O2 -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
	--with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
	--with-http_dav_module \
	&& \

	# OpenSSL 1.1.1 fix - https://github.com/openssl/openssl/issues/3884
	gawk -i inplace \
	'/pthread/ { sub(/-lpthread /, ""); sub(/-lpthread /, ""); sub(/\\/, "-lpthread \\"); print } ! /pthread/ { print }' \
	"objs/Makefile" && \
	make && \
	make install && \
	make modules && \
	strip /usr/local/nginx/nginx


	# NGiNX Create log dirs
	RUN mkdir -p /var/log/nginx/
	RUN touch /var/log/nginx/access.log
	RUN touch /var/log/nginx/error.log

	# NGiNX forward request and error logs to docker log collector
	RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
	ln -sf /dev/stderr /var/log/nginx/error.log

	COPY nginx_orig.conf /etc/nginx/nginx.conf


	EXPOSE 80

	STOPSIGNAL SIGTERM

	CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"]

	# ==============================================================================


	FROM debian:stretch-slim

	ENV DEBIAN_FRONTEND noninteractive

	# ------------------------------------------------------------------------------


	# Libraries for ModSecurity
	RUN apt update && \
	apt-get install --no-install-recommends --no-install-suggests -y \
	ca-certificates libcurl3 libxml2 && \
	# apt-utils libgeoip1 libyajl2
	apt clean && \
	rm -rf /var/lib/apt/lists/*

	# ModSecurity libraries
	COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/
	COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/
	COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/
	RUN ldconfig
	COPY --from=modsecurity-build /usr/local/owasp-modsecurity-crs /usr/local/owasp-modsecurity-crs


	# NGiNX binary
	COPY --from=nginx-build /usr/local/nginx/nginx /usr/local/nginx/nginx

	# NGiNX vanilla config
	COPY --from=nginx-build /etc/nginx /etc/nginx

	# NGiNX vanillahtml
	COPY --from=nginx-build /usr/local/nginx/html /usr/local/nginx/html

	# NGiNX Create log dirs
	RUN mkdir -p /var/log/nginx/
	RUN touch /var/log/nginx/access.log
	RUN touch /var/log/nginx/error.log

	# NGiNX Forward request and error logs to docker log collector
	RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
	ln -sf /dev/stderr /var/log/nginx/error.log

	EXPOSE 80

	STOPSIGNAL SIGTERM

	CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"]