From a9bb7b36e27cfbea6358be7d6c9591749deb20cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Rico=20G=C3=B3mez?= Date: Sat, 3 Aug 2024 22:55:46 +0200 Subject: [PATCH 1/5] add modsecurity support --- .jenkins/Jenkinsfile | 8 ++++---- docker/Dockerfile | 20 +++++++++++++++++--- docker/Dockerfile.acmesh | 2 +- docker/Dockerfile.acmesh-golang | 4 ++-- docker/Dockerfile.certbot | 4 ++-- docker/Dockerfile.certbot-node | 2 +- local-build.sh | 10 ++++++---- local-buildx.sh | 8 ++++---- scripts/build-modsecurity | 22 ++++++++++++++++++++++ scripts/install-modsecurity_ruleset | 17 +++++++++++++++++ 10 files changed, 76 insertions(+), 21 deletions(-) create mode 100644 scripts/build-modsecurity create mode 100644 scripts/install-modsecurity_ruleset diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile index 7721f2e..2c826dd 100644 --- a/.jenkins/Jenkinsfile +++ b/.jenkins/Jenkinsfile @@ -16,10 +16,10 @@ pipeline { BUILDX_NAME = "${IMAGE}_${GIT_BRANCH}" BRANCH_LOWER = "${BRANCH_NAME.toLowerCase().replaceAll('/', '-')}" // Software versions; OpenResty does not support Lua >= 5.2 - OPENRESTY_VERSION = '1.21.4.3' - CROWDSEC_OPENRESTY_BOUNCER_VERSION = '0.1.7' - LUA_VERSION = '5.1.5' - LUAROCKS_VERSION = '3.3.1' + OPENRESTY_VERSION = '1.25.3.1' + CROWDSEC_OPENRESTY_BOUNCER_VERSION = '1.0.2' + LUA_VERSION = '5.4.7' + LUAROCKS_VERSION = '3.11.1' } stages { stage('Environment') { diff --git a/docker/Dockerfile b/docker/Dockerfile index 55619ac..5eb8917 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -2,11 +2,12 @@ # Nginx Builder ############# -FROM debian:bookworm-slim as nginxbuilder +FROM debian:bookworm-slim AS nginxbuilder ARG OPENRESTY_VERSION ARG LUA_VERSION ARG LUAROCKS_VERSION +ARG CSR_VERSION RUN apt-get update \ && apt-get install -y \ @@ -16,7 +17,11 @@ RUN apt-get update \ libpcre3-dev \ libreadline-dev \ libssl-dev \ - openssl unzip \ + openssl \ + unzip \ + autoconf \ + automake \ + libtool \ wget \ zlib1g-dev \ git \ @@ -26,6 +31,9 @@ RUN apt-get update \ COPY ./scripts/build-lua /tmp/build-lua RUN /tmp/build-lua +COPY ./scripts/build-modsecurity /tmp/build-modsecurity +RUN /tmp/build-modsecurity + # Nginx build COPY ./scripts/build-openresty /tmp/build-openresty RUN /tmp/build-openresty @@ -34,7 +42,7 @@ RUN /tmp/build-openresty # Final Image ############# -FROM debian:bookworm-slim as final +FROM debian:bookworm-slim AS final LABEL maintainer="Jamie Curnow " SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -71,6 +79,9 @@ COPY ./files/.bashrc /root/.bashrc # Copy lua and luarocks builds from first image COPY --from=nginxbuilder /tmp/lua /tmp/lua COPY --from=nginxbuilder /tmp/luarocks /tmp/luarocks +COPY --from=nginxbuilder /tmp/ModSecurity /tmp/ModSecurity +COPY --from=nginxbuilder /tmp/ModSecurity-nginx /tmp/ModSecurity-nginx +COPY ./scripts/install-modsecurity_ruleset /tmp/install-modsecurity_ruleset COPY ./scripts/install-lua /tmp/install-lua # Copy openresty build from first image @@ -82,8 +93,10 @@ COPY ./scripts/install-crowdsec_openresty_bouncer /tmp/install-crowdsec_openrest ARG OPENRESTY_VERSION ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION +ARG CSR_VERSION ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \ OPENRESTY_VERSION=${OPENRESTY_VERSION} \ + CSR_VERSION=${CSR_VERSION} \ CROWDSEC_OPENRESTY_BOUNCER_VERSION=${CROWDSEC_OPENRESTY_BOUNCER_VERSION} # Install openresty, lua, then clean up file system @@ -91,6 +104,7 @@ RUN apt-get update \ && apt-get install -y gcc make socat git \ && /tmp/install-lua \ && /tmp/install-openresty \ + && /tmp/install-modsecurity_ruleset \ && apt-get remove -y make gcc git wget gettext \ && apt-get autoremove -y \ && apt-get clean \ diff --git a/docker/Dockerfile.acmesh b/docker/Dockerfile.acmesh index a790142..477fff2 100644 --- a/docker/Dockerfile.acmesh +++ b/docker/Dockerfile.acmesh @@ -1,5 +1,5 @@ ARG BASE_IMAGE=nginxproxymanager/nginx-full:latest -FROM $BASE_IMAGE as final +FROM $BASE_IMAGE AS final ARG BASE_IMAGE ARG TARGETPLATFORM diff --git a/docker/Dockerfile.acmesh-golang b/docker/Dockerfile.acmesh-golang index 4a204d7..97e5e50 100644 --- a/docker/Dockerfile.acmesh-golang +++ b/docker/Dockerfile.acmesh-golang @@ -1,6 +1,6 @@ ARG ACMESH_IMAGE=nginxproxymanager/nginx-full:acmesh -FROM golang:latest as go -FROM $ACMESH_IMAGE as final +FROM golang:latest AS go +FROM $ACMESH_IMAGE AS final ARG ACMESH_IMAGE ARG TARGETPLATFORM diff --git a/docker/Dockerfile.certbot b/docker/Dockerfile.certbot index 843c525..34d09f5 100644 --- a/docker/Dockerfile.certbot +++ b/docker/Dockerfile.certbot @@ -4,7 +4,7 @@ ARG BASE_IMAGE=nginxproxymanager/nginx-full:latest # Certbot Builder ############# -FROM debian:bookworm-slim as certbotbuilder +FROM debian:bookworm-slim AS certbotbuilder SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -41,7 +41,7 @@ RUN pip install --no-cache-dir --upgrade pyopenssl \ ############# # Final Image ############# -FROM $BASE_IMAGE as final +FROM $BASE_IMAGE AS final ARG BASE_IMAGE ARG TARGETPLATFORM diff --git a/docker/Dockerfile.certbot-node b/docker/Dockerfile.certbot-node index 48b402b..2960fba 100644 --- a/docker/Dockerfile.certbot-node +++ b/docker/Dockerfile.certbot-node @@ -1,5 +1,5 @@ ARG CERTBOT_IMAGE=nginxproxymanager/nginx-full:certbot -FROM $CERTBOT_IMAGE as final +FROM $CERTBOT_IMAGE AS final ARG CERTBOT_IMAGE ARG TARGETPLATFORM diff --git a/local-build.sh b/local-build.sh index b429cf8..fe6e193 100755 --- a/local-build.sh +++ b/local-build.sh @@ -9,10 +9,11 @@ RESET='\E[0m' REGISTRY=${REGISTRY:-} DOCKER_IMAGE="${REGISTRY}nginxproxymanager/nginx-full" -export OPENRESTY_VERSION=1.21.4.3 -export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7 -export LUA_VERSION=5.1.5 -export LUAROCKS_VERSION=3.3.1 +export OPENRESTY_VERSION=1.25.3.1 +export CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2 +export LUA_VERSION=5.4.7 +export LUAROCKS_VERSION=3.11.1 +export CSR_VERSION=4.5.0 export BASE_IMAGE="${DOCKER_IMAGE}:latest" export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh" @@ -29,6 +30,7 @@ docker build \ --build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \ --build-arg LUA_VERSION \ --build-arg LUAROCKS_VERSION \ + --build-arg CSR_VERSION \ -t "$BASE_IMAGE" \ -f docker/Dockerfile \ . diff --git a/local-buildx.sh b/local-buildx.sh index aeffef8..4604692 100755 --- a/local-buildx.sh +++ b/local-buildx.sh @@ -9,10 +9,10 @@ RESET='\E[0m' DOCKER_IMAGE="${REGISTRY:-}nginxproxymanager/nginx-full" PLATFORMS=linux/amd64,linux/arm64,linux/arm/7 -export OPENRESTY_VERSION=1.21.4.3 -export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7 -export LUA_VERSION=5.1.5 -export LUAROCKS_VERSION=3.3.1 +export OPENRESTY_VERSION=1.25.3.1 +export CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2 +export LUA_VERSION=5.4.7 +export LUAROCKS_VERSION=3.11.1 export BASE_IMAGE="${DOCKER_IMAGE}:latest" export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh" diff --git a/scripts/build-modsecurity b/scripts/build-modsecurity new file mode 100644 index 0000000..38db7af --- /dev/null +++ b/scripts/build-modsecurity @@ -0,0 +1,22 @@ +#!/bin/bash -e + +BLUE='\E[1;34m' +CYAN='\E[1;36m' +YELLOW='\E[1;33m' +GREEN='\E[1;32m' +RESET='\E[0m' + +echo -e "${BLUE}❯ ${CYAN}Building ModSecurity ${YELLOW}V3${RESET}" + +cd /tmp +git clone https://github.com/owasp-modsecurity/ModSecurity --depth 1 --branch v3/master +cd ModSecurity +sh build.sh +git submodule init +git submodule update +./configure +make +make install + +cd /tmp +git clone https://github.com/owasp-modsecurity/ModSecurity-nginx --depth 1 --branch master diff --git a/scripts/install-modsecurity_ruleset b/scripts/install-modsecurity_ruleset new file mode 100644 index 0000000..322bc0a --- /dev/null +++ b/scripts/install-modsecurity_ruleset @@ -0,0 +1,17 @@ +#!/bin/bash -e + +BLUE='\E[1;34m' +CYAN='\E[1;36m' +YELLOW='\E[1;33m' +GREEN='\E[1;32m' +RESET='\E[0m' + +echo -e "${BLUE}❯ ${CYAN}Installing ModSecurity CoreRuleSet ${YELLOW}${CSR_VERSION}...${RESET}" + +cd /tmp +mkdir -p /etc/modsecurity +wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v${CSR_VERSION}.tar.gz +tar -xzf v${CSR_VERSION}.tar.gz --strip 1 -C /etc/modsecurity +rm -rf v${CSR_VERSION}.tar.gz + +echo -e "${BLUE}❯ ${GREEN}ModSecurity CoreRuleSet install completed${RESET}" From 709e6c37eb6f4a54641de661d3577eb1cd349415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Rico=20G=C3=B3mez?= Date: Sat, 3 Aug 2024 23:03:32 +0200 Subject: [PATCH 2/5] add missing env var for jenkins --- .jenkins/Jenkinsfile | 1 + local-buildx.sh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile index 2c826dd..08f1777 100644 --- a/.jenkins/Jenkinsfile +++ b/.jenkins/Jenkinsfile @@ -20,6 +20,7 @@ pipeline { CROWDSEC_OPENRESTY_BOUNCER_VERSION = '1.0.2' LUA_VERSION = '5.4.7' LUAROCKS_VERSION = '3.11.1' + CSR_VERSION = '4.5.0' } stages { stage('Environment') { diff --git a/local-buildx.sh b/local-buildx.sh index 4604692..314aa62 100755 --- a/local-buildx.sh +++ b/local-buildx.sh @@ -13,6 +13,7 @@ export OPENRESTY_VERSION=1.25.3.1 export CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2 export LUA_VERSION=5.4.7 export LUAROCKS_VERSION=3.11.1 +export CSR_VERSION=4.5.0 export BASE_IMAGE="${DOCKER_IMAGE}:latest" export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh" @@ -38,6 +39,7 @@ docker buildx build \ --build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \ --build-arg LUA_VERSION \ --build-arg LUAROCKS_VERSION \ + --build-arg CSR_VERSION \ -t "$BASE_IMAGE" \ -f docker/Dockerfile \ . From 299e5f1cc43dcb2cf9f9c0f9b5b2f2c7c7422b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Rico=20G=C3=B3mez?= Date: Sun, 4 Aug 2024 10:45:59 +0200 Subject: [PATCH 3/5] add missing env var for buildx --- scripts/buildx | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/buildx b/scripts/buildx index b947277..c5067b0 100755 --- a/scripts/buildx +++ b/scripts/buildx @@ -26,6 +26,7 @@ docker buildx build \ --build-arg LUA_VERSION \ --build-arg LUAROCKS_VERSION \ --build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \ + --build-arg CSR_VERSION \ $@ \ . From 90abd96728ec5a3d5939059718529e6a8c89de96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Rico=20G=C3=B3mez?= Date: Sun, 4 Aug 2024 21:41:25 +0200 Subject: [PATCH 4/5] add stream log module --- scripts/build-openresty | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/build-openresty b/scripts/build-openresty index 9f3a1bb..33d7d45 100755 --- a/scripts/build-openresty +++ b/scripts/build-openresty @@ -54,6 +54,7 @@ cd /tmp/openresty --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ + --with-stream_log_module \ --with-stream_ssl_preread_module \ --add-dynamic-module=/tmp/openresty/ngx_http_geoip2_module From 258910c902cb00087f5e57edbc26feb754e41855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominic=20Rico=20G=C3=B3mez?= Date: Mon, 5 Aug 2024 10:02:24 +0200 Subject: [PATCH 5/5] remove wrong build arg again --- scripts/build-openresty | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/build-openresty b/scripts/build-openresty index 33d7d45..9f3a1bb 100755 --- a/scripts/build-openresty +++ b/scripts/build-openresty @@ -54,7 +54,6 @@ cd /tmp/openresty --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ - --with-stream_log_module \ --with-stream_ssl_preread_module \ --add-dynamic-module=/tmp/openresty/ngx_http_geoip2_module