Last active
March 23, 2018 20:42
-
-
Save binaryanomaly/3f04758d6bd2a26f018fce2d05def9be to your computer and use it in GitHub Desktop.
nginx, modsecurity, brotli, headers-more dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ModSecurity BUILD Container | |
FROM debian:stretch-slim AS modsecurity-build | |
ENV DEBIAN_FRONTEND noninteractive | |
# ------------------------------------------------------------------------------ | |
RUN set -eux && \ | |
apt update && \ | |
apt dist-upgrade -y | |
RUN apt install --no-install-recommends --no-install-suggests -y \ | |
ca-certificates autoconf automake build-essential cmake \ | |
libtool libpcre3-dev libxml2-dev libcurl4-openssl-dev pkgconf wget gawk git | |
# liblmdb-dev libgeoip-dev libyajl-dev | |
RUN mkdir /tmp/build/ | |
# GeoIP | |
RUN cd /tmp/build && git clone --recursive https://github.com/maxmind/geoip-api-c | |
RUN cd /tmp/build/geoip-api-c && ./bootstrap && ./configure && make && make install | |
RUN strip /usr/local/lib/libGeoIP.so.1 | |
# yajl | |
RUN cd /tmp/build && git clone https://github.com/lloyd/yajl.git | |
RUN cd /tmp/build/yajl && ./configure && make install | |
RUN strip /usr/local/lib/libyajl* | |
# ModSecurity | |
RUN cd /tmp/build && \ | |
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && \ | |
cd ModSecurity && \ | |
git submodule init && \ | |
git submodule update | |
RUN cd /tmp/build/ModSecurity/ && ./build.sh | |
RUN cd /tmp/build/ModSecurity/ && \ | |
./configure \ | |
--enable-static \ | |
--with-geoip=/tmp/build/geoip-api-c/libGeoIP \ | |
--with-yajl=/tmp/build/yajl/build/yajl-2.1.1 \ | |
--disable-examples \ | |
--disable-doxygen-html \ | |
--disable-doxygen-doc \ | |
--disable-debug-logs | |
RUN cd /tmp/build/ModSecurity/ && make | |
RUN cd /tmp/build/ModSecurity/ && make install | |
RUN strip /usr/local/modsecurity/bin/* /usr/local/modsecurity/lib/*.a /usr/local/modsecurity/lib/*.so* | |
# OWASP ModSecurity CRS | |
RUN cd /usr/local/ && git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git | |
RUN cd /usr/local/owasp-modsecurity-crs && cp crs-setup.conf.example crs-setup.conf | |
# Deactivate unsupported setting | |
RUN sed -i 's/SecCollectionTimeout 600/#SecCollectionTimeout 600/' /usr/local/owasp-modsecurity-crs/crs-setup.conf | |
# ============================================================================== | |
# NGiNX BUILD Container | |
FROM debian:stretch-slim AS nginx-build | |
ENV DEBIAN_FRONTEND noninteractive | |
ENV NGINX_VERSION 1.13.9 | |
ENV OPENSSL_VERSION 1.1.1-pre3 | |
# 1.1.0g | |
ENV PCRE_VERSION 8.41 | |
ENV ZLIB_VERSION 1.2.11 | |
# ------------------------------------------------------------------------------ | |
RUN set -x | |
RUN apt update | |
RUN apt dist-upgrade -y | |
RUN apt install --no-install-recommends --no-install-suggests -y \ | |
ca-certificates autoconf automake build-essential \ | |
libtool pkgconf wget gawk git zlib-dev \ | |
libpcre3-dev libxml2-dev libcurl4-openssl-dev | |
RUN mkdir /tmp/build/ | |
# OpenSSL | |
RUN wget -q -P /tmp/build https://www.openssl.org/source/openssl-"$OPENSSL_VERSION".tar.gz | |
RUN tar xvzf /tmp/build/openssl-"$OPENSSL_VERSION".tar.gz -C /tmp/build | |
# Brotli | |
RUN set -eux && \ | |
cd /tmp/build && \ | |
git clone https://github.com/google/ngx_brotli.git && \ | |
cd ngx_brotli && \ | |
git submodule update --init --recursive | |
# headers more nginx module | |
RUN wget -q -P /tmp/build https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz | |
RUN tar xvzf /tmp/build/v0.33.tar.gz -C /tmp/build | |
# ModSecurity nginx connector | |
RUN cd /tmp/build && \ | |
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git | |
# ModSecurity libraries | |
COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/ | |
COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/ | |
COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/ | |
# NGiNX | |
RUN wget -q -P /tmp/build https://nginx.org/download/nginx-"$NGINX_VERSION".tar.gz | |
RUN tar xvzf /tmp/build/nginx-"$NGINX_VERSION".tar.gz -C /tmp/build | |
RUN cd /tmp/build/nginx-"$NGINX_VERSION" && \ | |
./configure \ | |
--prefix=/usr/local/nginx \ | |
--sbin-path=/usr/local/nginx/nginx \ | |
--modules-path=/usr/local/nginx/modules \ | |
--conf-path=/etc/nginx/nginx.conf \ | |
--error-log-path=/var/log/nginx/error.log \ | |
--http-log-path=/var/log/nginx/access.log \ | |
--pid-path=/run/nginx.pid \ | |
--lock-path=/var/lock/nginx.lock \ | |
--user=www-data \ | |
--group=www-data \ | |
--build='TLS v1.3, OpenSSL 1.1.1-pre3, PCRE 8.41, ZLIB 1.2.11' \ | |
--with-openssl=../openssl-"$OPENSSL_VERSION" \ | |
--with-openssl-opt=enable-ec_nistp_64_gcc_128 \ | |
--with-openssl-opt=no-nextprotoneg \ | |
--with-openssl-opt=no-weak-ssl-ciphers \ | |
--with-openssl-opt=no-ssl3 \ | |
--with-openssl-opt='enable-tls1_3' \ | |
--with-pcre-jit \ | |
--with-file-aio \ | |
--with-threads \ | |
--with-http_addition_module \ | |
--with-http_auth_request_module \ | |
--with-http_flv_module \ | |
--with-http_gunzip_module \ | |
--with-http_gzip_static_module \ | |
--with-http_mp4_module \ | |
--with-http_random_index_module \ | |
--with-http_realip_module \ | |
--with-http_slice_module \ | |
--with-http_ssl_module \ | |
--with-http_sub_module \ | |
--with-http_stub_status_module \ | |
--with-http_v2_module \ | |
--with-http_secure_link_module \ | |
--with-stream \ | |
--with-stream_realip_module \ | |
--with-stream_ssl_module \ | |
--with-stream_ssl_preread_module \ | |
--add-module=/tmp/build/ngx_brotli \ | |
--add-module=/tmp/build/headers-more-nginx-module-0.33 \ | |
--add-module=/tmp/build/ModSecurity-nginx \ | |
--with-cc-opt='-g -O2 -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \ | |
--with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \ | |
--with-http_dav_module \ | |
&& \ | |
# OpenSSL 1.1.1 fix - https://github.com/openssl/openssl/issues/3884 | |
gawk -i inplace \ | |
'/pthread/ { sub(/-lpthread /, ""); sub(/-lpthread /, ""); sub(/\\/, "-lpthread \\"); print } ! /pthread/ { print }' \ | |
"objs/Makefile" && \ | |
make && \ | |
make install && \ | |
make modules && \ | |
strip /usr/local/nginx/nginx | |
# NGiNX Create log dirs | |
RUN mkdir -p /var/log/nginx/ | |
RUN touch /var/log/nginx/access.log | |
RUN touch /var/log/nginx/error.log | |
# NGiNX forward request and error logs to docker log collector | |
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ | |
ln -sf /dev/stderr /var/log/nginx/error.log | |
COPY nginx_orig.conf /etc/nginx/nginx.conf | |
EXPOSE 80 | |
STOPSIGNAL SIGTERM | |
CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"] | |
# ============================================================================== | |
FROM debian:stretch-slim | |
ENV DEBIAN_FRONTEND noninteractive | |
# ------------------------------------------------------------------------------ | |
# Libraries for ModSecurity | |
RUN apt update && \ | |
apt-get install --no-install-recommends --no-install-suggests -y \ | |
ca-certificates libcurl3 libxml2 && \ | |
# apt-utils libgeoip1 libyajl2 | |
apt clean && \ | |
rm -rf /var/lib/apt/lists/* | |
# ModSecurity libraries | |
COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/ | |
COPY --from=modsecurity-build /usr/local/lib/libGeoIP* /usr/local/lib/ | |
COPY --from=modsecurity-build /usr/local/lib/libyajl* /usr/local/lib/ | |
RUN ldconfig | |
COPY --from=modsecurity-build /usr/local/owasp-modsecurity-crs /usr/local/owasp-modsecurity-crs | |
# NGiNX binary | |
COPY --from=nginx-build /usr/local/nginx/nginx /usr/local/nginx/nginx | |
# NGiNX vanilla config | |
COPY --from=nginx-build /etc/nginx /etc/nginx | |
# NGiNX vanillahtml | |
COPY --from=nginx-build /usr/local/nginx/html /usr/local/nginx/html | |
# NGiNX Create log dirs | |
RUN mkdir -p /var/log/nginx/ | |
RUN touch /var/log/nginx/access.log | |
RUN touch /var/log/nginx/error.log | |
# NGiNX Forward request and error logs to docker log collector | |
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ | |
ln -sf /dev/stderr /var/log/nginx/error.log | |
EXPOSE 80 | |
STOPSIGNAL SIGTERM | |
CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment