Skip to content

Instantly share code, notes, and snippets.

@procinger

procinger/Dockerfile.bad

Created November 10, 2022 15:49
Show Gist options
  • Save procinger/6cae5cdd7de197009d8d9306cebbddfa to your computer and use it in GitHub Desktop.
Save procinger/6cae5cdd7de197009d8d9306cebbddfa to your computer and use it in GitHub Desktop.
Download ZIP
Nginx Modsecurity Mem Leak
Raw
README.md

Quick'n'Dirty Nginx Images with Modsecurity.

Dockerfile.bad compiles with nginx-modsecurity v1.0.2 and Modsecurity v3.0.8

Dockerfile.better compiles with nginx-modsecurity v1.0.3 and Modsecurity v3/master

The memory leak is still there, but it is only ~500kb ram instead of ~16 Mb ram, per nginx -s reload

mem leak can be checked with valgrind valgrind --trace-children=yes --tool=memcheck --leak-check=full /usr/local/nginx/sbin/nginx -g "daemon off;"

Raw
Dockerfile.bad
FROM alpine:3.16.2
ARG MODSECURITY_VERSION=v3.0.8
ARG NGINX_MODSECURITY_VERSION=1.0.2
ARG NGINX_VERSION=1.21.6
ARG OWASP_MODSECURITY_CRS_VERSION=v3.3.4
WORKDIR /build
RUN apk add \
bash \
gcc \
clang \
libc-dev \
make \
automake \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
libxslt-dev \
gd-dev \
geoip-dev \
perl-dev \
libedit-dev \
mercurial \
alpine-sdk \
findutils \
curl ca-certificates \
patch \
libaio-dev \
openssl \
cmake \
util-linux \
lmdb-tools \
wget \
curl-dev \
libprotobuf \
git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \
python3 \
libmaxminddb-dev \
bc \
unzip \
dos2unix \
yaml-cpp \
coreutils \
valgrind
RUN git clone --depth=1 -b $MODSECURITY_VERSION https://github.com/SpiderLabs/ModSecurity
RUN wget https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$NGINX_MODSECURITY_VERSION.tar.gz
RUN cd ModSecurity/ \
&& git submodule init \
&& git submodule update \
&& sh build.sh \
&& ./configure --disable-doxygen-doc --disable-doxygen-html --disable-examples \
&& make -j$(nproc) \
&& make install
RUN tar -xvzf v$NGINX_MODSECURITY_VERSION.tar.gz
RUN tar -xvzf nginx-$NGINX_VERSION.tar.gz
RUN cd nginx-$NGINX_VERSION && ./configure \
--prefix=/usr/local/nginx \
--conf-path=/etc/nginx/nginx.conf \
--modules-path=/etc/nginx/modules \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--with-debug \
--with-compat \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-http_secure_link_module \
--with-http_gunzip_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-pcre2 \
--with-cc-opt="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-Wno-cast-function-type -m64 -mtune=generic" \
--with-ld-opt="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" \
--add-dynamic-module=/build/ModSecurity-nginx-$NGINX_MODSECURITY_VERSION \
&& make -j$(nproc) \
&& make modules \
&& make install
RUN cd /etc/nginx \
&& git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset \
&& mv coreruleset owasp-modsecurity-crs \
&& cd owasp-modsecurity-crs \
\
&& mv crs-setup.conf.example crs-setup.conf \
&& mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
&& mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
&& cd .. \
&& echo "\
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
RUN echo " \
worker_processes 1; \
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; \
events { \
worker_connections 1024; \
} \
\
http { \
include mime.types; \
default_type application/octet-stream; \
\
\
sendfile on; \
keepalive_timeout 65; \
\
server { \
modsecurity on; \
modsecurity_rules ' \
SecruleEngine On \
SecAuditEngine On \
'; \
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; \
listen 80; \
server_name localhost; \
\
location / { \
root html; \
index index.html index.htm; \
} \
\
error_page 500 502 503 504 /50x.html; \
location = /50x.html { \
root html; \
} \
} \
}" > /etc/nginx/nginx.conf
Raw
Dockerfile.better
FROM alpine:3.16.2
ARG MODSECURITY_VERSION=v3/master
ARG NGINX_MODSECURITY_VERSION=1.0.3
ARG NGINX_VERSION=1.21.6
ARG OWASP_MODSECURITY_CRS_VERSION=v3.3.4
WORKDIR /build
RUN apk add \
bash \
gcc \
clang \
libc-dev \
make \
automake \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
libxslt-dev \
gd-dev \
geoip-dev \
perl-dev \
libedit-dev \
mercurial \
alpine-sdk \
findutils \
curl ca-certificates \
patch \
libaio-dev \
openssl \
cmake \
util-linux \
lmdb-tools \
wget \
curl-dev \
libprotobuf \
git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \
python3 \
libmaxminddb-dev \
bc \
unzip \
dos2unix \
yaml-cpp \
coreutils \
valgrind
RUN git clone --depth=1 -b $MODSECURITY_VERSION https://github.com/SpiderLabs/ModSecurity
RUN wget https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$NGINX_MODSECURITY_VERSION.tar.gz
RUN cd ModSecurity/ \
&& git submodule init \
&& git submodule update \
&& sh build.sh \
&& ./configure --disable-doxygen-doc --disable-doxygen-html --disable-examples \
&& make -j$(nproc) \
&& make install
RUN tar -xvzf v$NGINX_MODSECURITY_VERSION.tar.gz
RUN tar -xvzf nginx-$NGINX_VERSION.tar.gz
RUN cd nginx-$NGINX_VERSION && ./configure \
--prefix=/usr/local/nginx \
--conf-path=/etc/nginx/nginx.conf \
--modules-path=/etc/nginx/modules \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--with-debug \
--with-compat \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--with-threads \
--with-http_secure_link_module \
--with-http_gunzip_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-pcre2 \
--with-cc-opt="-g -O2 -fPIE -fstack-protector-strong \
-Wformat \
-Werror=format-security \
-Wno-deprecated-declarations \
-fno-strict-aliasing \
-D_FORTIFY_SOURCE=2 \
--param=ssp-buffer-size=4 \
-DTCP_FASTOPEN=23 \
-fPIC \
-Wno-cast-function-type -m64 -mtune=generic" \
--with-ld-opt="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" \
--add-dynamic-module=/build/ModSecurity-nginx-$NGINX_MODSECURITY_VERSION \
&& make -j$(nproc) \
&& make modules \
&& make install
RUN cd /etc/nginx \
&& git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset \
&& mv coreruleset owasp-modsecurity-crs \
&& cd owasp-modsecurity-crs \
\
&& mv crs-setup.conf.example crs-setup.conf \
&& mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
&& mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
&& cd .. \
&& echo "\
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf \
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
RUN echo " \
worker_processes 1; \
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; \
events { \
worker_connections 1024; \
} \
\
http { \
include mime.types; \
default_type application/octet-stream; \
\
\
sendfile on; \
keepalive_timeout 65; \
\
server { \
modsecurity on; \
modsecurity_rules ' \
SecruleEngine On \
SecAuditEngine On \
'; \
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; \
listen 80; \
server_name localhost; \
\
location / { \
root html; \
index index.html index.htm; \
} \
\
error_page 500 502 503 504 /50x.html; \
location = /50x.html { \
root html; \
} \
} \
}" > /etc/nginx/nginx.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment