Reorganize: util/regression-tests -> tests/regression, util/docker/Dockerfile -> /Dockerfile

[bittner]

Some files and folders are currently not in obvious locations in this repository. It would make it easier for most people to stick to commonly used locations, e.g.

• Regression tests: /util/regression-tests -> /tests/regression (Place everything that is related to testing the CRS in /tests)
• Docker image: /util/docker/Dockerfile -> /Dockerfile (Typically placed in the root folder; accompanying files could be moved to /docker)
• Optional: /documentation -> /docs

Would you be interested in a PR that corrects this?

[fgsch]

I think for the regression tests it makes sense. The docker image is used for testing really, and there are other dependencies so I think it's current place is OK.

As for docs, I personally agree with your suggestion but I'm not sure if there is much value moving it around.

My suggestion would be to start with the tests and take it from there. What do you think?

[csanders-git]

I'll add symlinks and we'll slowly remove the old links as we proceed inn the future.

[bittner]

Thank you!

JFYI, we're inheriting from your Docker image (vshn/modsecurity), add a few sensible customizations and use it in production for customers. Going forward, we hope to get some insight into what makes sense to push upstream. I hope that sounds good.

[csanders-git]

That sounds good -- we've been making a lot of changes on this front in the coming week or two. As you might have noticed we've been focusing on the upstream https://hub.docker.com/r/owasp/modsecurity -- So now that this is almost done we can move down to the CRS one.

[bittner]

I see the source code for the owasp/modsecurity image is at https://github.com/CRS-support/modsecurity-docker. This is a bit confusing, again. Why, when this image is in Docker Hub's owasp namespace isn't the repository also on GitHub's owasp namespace?

IIUC, SpiderLabs and OWASP Foundation are somewhat connected. Moving the repo there would make a lot of sense.

(Sorry for going slightly off-topic!)

[ghost]

@bittner I forked @csanders-git’s Docker Repo, consolidated all the branches, and then added sections for Kubernetes Manifests and a Helm Chart. You can see this here: https://github.com/danehrlich1/modsecurity-kubernetes

I will work on this over the next couple of days. I was inspired by your earlier commits :)

Here is what I am thinking:

• Images will inherit from GCP managed base images for trust/security
• Create a base image
• I will use GCP Cloud Build. The various runners they have like git will allow us to never even need to put those programs in the final image: https://cloud.google.com/cloud-build/docs/cloud-builders
• Kaniko will be used to make the build extra extra fast :)
• Push final container result to GCR for vulnerability analysis and secure hosting. Result can be mirrored to Docker Hub as well.

[ghost]

Later on since ModSecurity is really just a web server, you could deploy it briefly to Google Cloud Run and hit it with a bunch of attacks / tests. Would be within the free tier if you stay under 30 minutes and would give you some confidence in the final build.

[bittner]

GCP, Google Cloud Platform, and trust/security. How does that fit together? (Maybe this is just a European thing to distrust Google.) From a technical view this might be okay, but I'd still be cautious.

[csanders-git]

@bittner, the reason I orig made the docker folder is because we'll end up having multiple docker files (nginx, apache, and waflz) so for now i'm gonna leave that - but i'm gonna make a symlink for regressions -- let me know what you think. I'm also updating the images now.

[fgsch]

Moved to #1600