NginxProxyManager · dominicrico · Aug 3, 2024 · Aug 3, 2024 · Aug 4, 2024 · Aug 4, 2024
diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
@@ -16,10 +16,11 @@ pipeline {
 		BUILDX_NAME         = "${IMAGE}_${GIT_BRANCH}"
 		BRANCH_LOWER        = "${BRANCH_NAME.toLowerCase().replaceAll('/', '-')}"
 		// Software versions; OpenResty does not support Lua >= 5.2
-		OPENRESTY_VERSION                  = '1.21.4.3'
-		CROWDSEC_OPENRESTY_BOUNCER_VERSION = '0.1.7'
-		LUA_VERSION                        = '5.1.5'
-		LUAROCKS_VERSION                   = '3.3.1'
+		OPENRESTY_VERSION                  = '1.25.3.1'
+		CROWDSEC_OPENRESTY_BOUNCER_VERSION = '1.0.2'
+		LUA_VERSION                        = '5.4.7'
+		LUAROCKS_VERSION                   = '3.11.1'
+		CSR_VERSION												 = '4.5.0'
 	}
 	stages {
 		stage('Environment') {

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -2,11 +2,12 @@
 # Nginx Builder
 #############
 
-FROM debian:bookworm-slim as nginxbuilder
+FROM debian:bookworm-slim AS nginxbuilder
 
 ARG OPENRESTY_VERSION
 ARG LUA_VERSION
 ARG LUAROCKS_VERSION
+ARG CSR_VERSION
 
 RUN apt-get update \
 	&& apt-get install -y \
@@ -16,7 +17,11 @@ RUN apt-get update \
 	libpcre3-dev \
 	libreadline-dev \
 	libssl-dev \
-	openssl unzip \
+	openssl \
+	unzip \
+	autoconf \
+	automake \
+	libtool \
 	wget \
 	zlib1g-dev \
 	git \
@@ -26,6 +31,9 @@ RUN apt-get update \
 COPY ./scripts/build-lua /tmp/build-lua
 RUN /tmp/build-lua
 
+COPY ./scripts/build-modsecurity /tmp/build-modsecurity
+RUN /tmp/build-modsecurity
+
 # Nginx build
 COPY ./scripts/build-openresty /tmp/build-openresty
 RUN /tmp/build-openresty
@@ -34,7 +42,7 @@ RUN /tmp/build-openresty
 # Final Image
 #############
 
-FROM debian:bookworm-slim as final
+FROM debian:bookworm-slim AS final
 LABEL maintainer="Jamie Curnow <[email protected]>"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -71,6 +79,9 @@ COPY ./files/.bashrc /root/.bashrc
 # Copy lua and luarocks builds from first image
 COPY --from=nginxbuilder /tmp/lua /tmp/lua
 COPY --from=nginxbuilder /tmp/luarocks /tmp/luarocks
+COPY --from=nginxbuilder /tmp/ModSecurity /tmp/ModSecurity
+COPY --from=nginxbuilder /tmp/ModSecurity-nginx /tmp/ModSecurity-nginx
+COPY ./scripts/install-modsecurity_ruleset /tmp/install-modsecurity_ruleset
 COPY ./scripts/install-lua /tmp/install-lua
 
 # Copy openresty build from first image
@@ -82,15 +93,18 @@ COPY ./scripts/install-crowdsec_openresty_bouncer /tmp/install-crowdsec_openrest
 
 ARG OPENRESTY_VERSION
 ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION
+ARG CSR_VERSION
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
 	OPENRESTY_VERSION=${OPENRESTY_VERSION} \
+	CSR_VERSION=${CSR_VERSION} \
 	CROWDSEC_OPENRESTY_BOUNCER_VERSION=${CROWDSEC_OPENRESTY_BOUNCER_VERSION}
 
 # Install openresty, lua, then clean up file system
 RUN apt-get update \
 	&& apt-get install -y gcc make socat git \
 	&& /tmp/install-lua \
 	&& /tmp/install-openresty \
+	&& /tmp/install-modsecurity_ruleset \
 	&& apt-get remove -y make gcc git wget gettext \
 	&& apt-get autoremove -y \
 	&& apt-get clean \

diff --git a/docker/Dockerfile.acmesh b/docker/Dockerfile.acmesh
@@ -1,5 +1,5 @@
 ARG BASE_IMAGE=nginxproxymanager/nginx-full:latest
-FROM $BASE_IMAGE as final
+FROM $BASE_IMAGE AS final
 ARG BASE_IMAGE
 ARG TARGETPLATFORM
 

diff --git a/docker/Dockerfile.acmesh-golang b/docker/Dockerfile.acmesh-golang
@@ -1,6 +1,6 @@
 ARG ACMESH_IMAGE=nginxproxymanager/nginx-full:acmesh
-FROM golang:latest as go
-FROM $ACMESH_IMAGE as final
+FROM golang:latest AS go
+FROM $ACMESH_IMAGE AS final
 ARG ACMESH_IMAGE
 ARG TARGETPLATFORM
 

diff --git a/docker/Dockerfile.certbot b/docker/Dockerfile.certbot
@@ -4,7 +4,7 @@ ARG BASE_IMAGE=nginxproxymanager/nginx-full:latest
 # Certbot Builder
 #############
 
-FROM debian:bookworm-slim as certbotbuilder
+FROM debian:bookworm-slim AS certbotbuilder
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -41,7 +41,7 @@ RUN pip install --no-cache-dir --upgrade pyopenssl \
 #############
 # Final Image
 #############
-FROM $BASE_IMAGE as final
+FROM $BASE_IMAGE AS final
 ARG BASE_IMAGE
 ARG TARGETPLATFORM
 

diff --git a/docker/Dockerfile.certbot-node b/docker/Dockerfile.certbot-node
@@ -1,5 +1,5 @@
 ARG CERTBOT_IMAGE=nginxproxymanager/nginx-full:certbot
-FROM $CERTBOT_IMAGE as final
+FROM $CERTBOT_IMAGE AS final
 ARG CERTBOT_IMAGE
 ARG TARGETPLATFORM
 

diff --git a/local-build.sh b/local-build.sh
@@ -9,10 +9,11 @@ RESET='\E[0m'
 REGISTRY=${REGISTRY:-}
 DOCKER_IMAGE="${REGISTRY}nginxproxymanager/nginx-full"
 
-export OPENRESTY_VERSION=1.21.4.3
-export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
-export LUA_VERSION=5.1.5
-export LUAROCKS_VERSION=3.3.1
+export OPENRESTY_VERSION=1.25.3.1
+export CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2
+export LUA_VERSION=5.4.7
+export LUAROCKS_VERSION=3.11.1
+export CSR_VERSION=4.5.0
 
 export BASE_IMAGE="${DOCKER_IMAGE}:latest"
 export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
@@ -29,6 +30,7 @@ docker build \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
+	--build-arg CSR_VERSION \
 	-t "$BASE_IMAGE" \
 	-f docker/Dockerfile \
 	.

diff --git a/local-buildx.sh b/local-buildx.sh
@@ -9,10 +9,11 @@ RESET='\E[0m'
 DOCKER_IMAGE="${REGISTRY:-}nginxproxymanager/nginx-full"
 PLATFORMS=linux/amd64,linux/arm64,linux/arm/7
 
-export OPENRESTY_VERSION=1.21.4.3
-export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
-export LUA_VERSION=5.1.5
-export LUAROCKS_VERSION=3.3.1
+export OPENRESTY_VERSION=1.25.3.1
+export CROWDSEC_OPENRESTY_BOUNCER_VERSION=1.0.2
+export LUA_VERSION=5.4.7
+export LUAROCKS_VERSION=3.11.1
+export CSR_VERSION=4.5.0
 
 export BASE_IMAGE="${DOCKER_IMAGE}:latest"
 export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
@@ -38,6 +39,7 @@ docker buildx build \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
+	--build-arg CSR_VERSION \
 	-t "$BASE_IMAGE" \
 	-f docker/Dockerfile \
 	.

diff --git a/scripts/build-modsecurity b/scripts/build-modsecurity
@@ -0,0 +1,22 @@
+#!/bin/bash -e
+
+BLUE='\E[1;34m'
+CYAN='\E[1;36m'
+YELLOW='\E[1;33m'
+GREEN='\E[1;32m'
+RESET='\E[0m'
+
+echo -e "${BLUE}❯ ${CYAN}Building ModSecurity ${YELLOW}V3${RESET}"
+
+cd /tmp
+git clone https://github.com/owasp-modsecurity/ModSecurity --depth 1 --branch v3/master
+cd ModSecurity
+sh build.sh
+git submodule init
+git submodule update
+./configure
+make
+make install
+
+cd /tmp
+git clone https://github.com/owasp-modsecurity/ModSecurity-nginx --depth 1 --branch master
diff --git a/scripts/buildx b/scripts/buildx
@@ -26,6 +26,7 @@ docker buildx build \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
+	--build-arg CSR_VERSION \
 	$@ \
 	.
 

diff --git a/scripts/install-modsecurity_ruleset b/scripts/install-modsecurity_ruleset
@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+BLUE='\E[1;34m'
+CYAN='\E[1;36m'
+YELLOW='\E[1;33m'
+GREEN='\E[1;32m'
+RESET='\E[0m'
+
+echo -e "${BLUE}❯ ${CYAN}Installing ModSecurity CoreRuleSet ${YELLOW}${CSR_VERSION}...${RESET}"
+
+cd /tmp
+mkdir -p /etc/modsecurity
+wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v${CSR_VERSION}.tar.gz
+tar -xzf v${CSR_VERSION}.tar.gz --strip 1 -C /etc/modsecurity
+rm -rf v${CSR_VERSION}.tar.gz
+
+echo -e "${BLUE}❯ ${GREEN}ModSecurity CoreRuleSet install completed${RESET}"