|
FROM alpine:3.16.2 |
|
|
|
ARG MODSECURITY_VERSION=v3/master |
|
ARG NGINX_MODSECURITY_VERSION=1.0.3 |
|
ARG NGINX_VERSION=1.21.6 |
|
ARG OWASP_MODSECURITY_CRS_VERSION=v3.3.4 |
|
|
|
WORKDIR /build |
|
|
|
RUN apk add \ |
|
bash \ |
|
gcc \ |
|
clang \ |
|
libc-dev \ |
|
make \ |
|
automake \ |
|
openssl-dev \ |
|
pcre-dev \ |
|
zlib-dev \ |
|
linux-headers \ |
|
libxslt-dev \ |
|
gd-dev \ |
|
geoip-dev \ |
|
perl-dev \ |
|
libedit-dev \ |
|
mercurial \ |
|
alpine-sdk \ |
|
findutils \ |
|
curl ca-certificates \ |
|
patch \ |
|
libaio-dev \ |
|
openssl \ |
|
cmake \ |
|
util-linux \ |
|
lmdb-tools \ |
|
wget \ |
|
curl-dev \ |
|
libprotobuf \ |
|
git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \ |
|
python3 \ |
|
libmaxminddb-dev \ |
|
bc \ |
|
unzip \ |
|
dos2unix \ |
|
yaml-cpp \ |
|
coreutils \ |
|
valgrind |
|
|
|
RUN git clone --depth=1 -b $MODSECURITY_VERSION https://github.com/SpiderLabs/ModSecurity |
|
RUN wget https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz |
|
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$NGINX_MODSECURITY_VERSION.tar.gz |
|
|
|
RUN cd ModSecurity/ \ |
|
&& git submodule init \ |
|
&& git submodule update \ |
|
&& sh build.sh \ |
|
&& ./configure --disable-doxygen-doc --disable-doxygen-html --disable-examples \ |
|
&& make -j$(nproc) \ |
|
&& make install |
|
|
|
RUN tar -xvzf v$NGINX_MODSECURITY_VERSION.tar.gz |
|
RUN tar -xvzf nginx-$NGINX_VERSION.tar.gz |
|
|
|
RUN cd nginx-$NGINX_VERSION && ./configure \ |
|
--prefix=/usr/local/nginx \ |
|
--conf-path=/etc/nginx/nginx.conf \ |
|
--modules-path=/etc/nginx/modules \ |
|
--http-log-path=/var/log/nginx/access.log \ |
|
--error-log-path=/var/log/nginx/error.log \ |
|
--lock-path=/var/lock/nginx.lock \ |
|
--pid-path=/run/nginx.pid \ |
|
--with-debug \ |
|
--with-compat \ |
|
--with-pcre-jit \ |
|
--with-http_ssl_module \ |
|
--with-http_stub_status_module \ |
|
--with-http_realip_module \ |
|
--with-http_auth_request_module \ |
|
--with-http_addition_module \ |
|
--with-http_gzip_static_module \ |
|
--with-http_sub_module \ |
|
--with-http_v2_module \ |
|
--with-stream \ |
|
--with-stream_ssl_module \ |
|
--with-stream_realip_module \ |
|
--with-stream_ssl_preread_module \ |
|
--with-threads \ |
|
--with-http_secure_link_module \ |
|
--with-http_gunzip_module \ |
|
--without-mail_pop3_module \ |
|
--without-mail_smtp_module \ |
|
--without-mail_imap_module \ |
|
--without-http_uwsgi_module \ |
|
--without-http_scgi_module \ |
|
--without-pcre2 \ |
|
--with-cc-opt="-g -O2 -fPIE -fstack-protector-strong \ |
|
-Wformat \ |
|
-Werror=format-security \ |
|
-Wno-deprecated-declarations \ |
|
-fno-strict-aliasing \ |
|
-D_FORTIFY_SOURCE=2 \ |
|
--param=ssp-buffer-size=4 \ |
|
-DTCP_FASTOPEN=23 \ |
|
-fPIC \ |
|
-Wno-cast-function-type -m64 -mtune=generic" \ |
|
--with-ld-opt="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" \ |
|
--add-dynamic-module=/build/ModSecurity-nginx-$NGINX_MODSECURITY_VERSION \ |
|
&& make -j$(nproc) \ |
|
&& make modules \ |
|
&& make install |
|
|
|
RUN cd /etc/nginx \ |
|
&& git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset \ |
|
&& mv coreruleset owasp-modsecurity-crs \ |
|
&& cd owasp-modsecurity-crs \ |
|
\ |
|
&& mv crs-setup.conf.example crs-setup.conf \ |
|
&& mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \ |
|
&& mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ |
|
&& cd .. \ |
|
&& echo "\ |
|
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf \ |
|
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ |
|
" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf |
|
|
|
RUN echo " \ |
|
worker_processes 1; \ |
|
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; \ |
|
events { \ |
|
worker_connections 1024; \ |
|
} \ |
|
|
|
\ |
|
http { \ |
|
include mime.types; \ |
|
default_type application/octet-stream; \ |
|
\ |
|
\ |
|
sendfile on; \ |
|
keepalive_timeout 65; \ |
|
\ |
|
server { \ |
|
modsecurity on; \ |
|
modsecurity_rules ' \ |
|
SecruleEngine On \ |
|
SecAuditEngine On \ |
|
'; \ |
|
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; \ |
|
listen 80; \ |
|
server_name localhost; \ |
|
\ |
|
location / { \ |
|
root html; \ |
|
index index.html index.htm; \ |
|
} \ |
|
\ |
|
error_page 500 502 503 504 /50x.html; \ |
|
location = /50x.html { \ |
|
root html; \ |
|
} \ |
|
} \ |
|
}" > /etc/nginx/nginx.conf |