From 1028ff1d4524204ae4d3728c9b21927fa7e1c98d Mon Sep 17 00:00:00 2001 From: Visshal Natarajan Date: Fri, 27 Sep 2024 09:14:41 +0800 Subject: [PATCH 1/5] Update Dockerfile Removed geo-ip flag and library to ensure proper functionality based upon "nginx -s reload" based on Issue 2041 (Modsecurity) --- nginx/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 9cb1e8a..14f4d85 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -21,7 +21,6 @@ RUN set -eux; \ git \ libcurl4-gnutls-dev \ libfuzzy-dev \ - libgeoip-dev \ liblua${LUA_VERSION}-dev \ libpcre3-dev \ libpcre2-dev \ @@ -51,7 +50,7 @@ RUN set -eux; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-geoip --with-pcre2 --with-maxmind --enable-silent-rules; \ + ./configure --with-yajl --with-ssdeep --with-pcre2 --with-maxmind --enable-silent-rules; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* From f3c19a20181e40497b142cf96f81397f80755ed8 Mon Sep 17 00:00:00 2001 From: Visshal Natarajan Date: Fri, 27 Sep 2024 09:17:29 +0800 Subject: [PATCH 2/5] Update Dockerfile-alpine --- nginx/Dockerfile-alpine | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 42fef64..8912383 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -18,7 +18,6 @@ RUN set -eux; \ curl-dev \ g++ \ gcc \ - geoip-dev \ git \ libc-dev \ libfuzzy2-dev \ @@ -48,7 +47,7 @@ RUN set -eux; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-lmdb --with-geoip --with-pcre2 --with-maxmind --enable-silent-rules; \ + ./configure --with-yajl --with-ssdeep --with-lmdb --with-pcre2 --with-maxmind --enable-silent-rules; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* From 8f293c3fbd738271b3ca7f937215218f340a853c Mon Sep 17 00:00:00 2001 From: Visshal Natarajan Date: Fri, 27 Sep 2024 09:19:34 +0800 Subject: [PATCH 3/5] Update Dockerfile-alpine --- openresty/Dockerfile-alpine | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index b0f682d..04ae92d 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -19,7 +19,6 @@ RUN set -eux; \ curl-dev \ g++ \ gcc \ - geoip-dev \ git \ libc-dev \ libfuzzy2-dev \ @@ -53,7 +52,7 @@ RUN set -eux; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-lmdb --with-geoip --enable-silent-rules --with-pcre2 --with-maxmind; \ + ./configure --with-yajl --with-ssdeep --with-lmdb --enable-silent-rules --with-pcre2 --with-maxmind; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* From 4f5d88ee2b382b17f5db96b0619ea463ea1d7aba Mon Sep 17 00:00:00 2001 From: Visshal Natarajan Date: Fri, 27 Sep 2024 10:57:14 +0800 Subject: [PATCH 4/5] Update Dockerfile-alpine --- openresty/Dockerfile-alpine | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index 04ae92d..e81451b 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -52,7 +52,7 @@ RUN set -eux; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-lmdb --enable-silent-rules --with-pcre2 --with-maxmind; \ + ./configure --with-yajl --with-ssdeep --with-lmdb --enable-silent-rules --with-pcre2; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* @@ -68,7 +68,7 @@ RUN set -eux; \ COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \ eval ./configure $COMPILEOPTIONS --add-dynamic-module=../../../ModSecurity-nginx; \ make modules; \ - cp objs/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/; \ + cp objs/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -98,12 +98,12 @@ RUN set -eux; \ curl \ gnupg; \ mkdir /opt/owasp-crs; \ - curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz -o v${CRS_RELEASE}-minimal.tar.gz; \ - curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc -o coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ + curl -SL https://github.com/coreruleset/coreruleset/archive/v${CRS_RELEASE}.tar.gz -o v${CRS_RELEASE}.tar.gz; \ + curl -SL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}.tar.gz.asc -o coreruleset-${CRS_RELEASE}.tar.gz.asc; \ gpg --fetch-key https://coreruleset.org/security.asc; \ - gpg --verify coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc v${CRS_RELEASE}-minimal.tar.gz; \ - tar -zxf v${CRS_RELEASE}-minimal.tar.gz --strip-components=1 -C /opt/owasp-crs; \ - rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ + gpg --verify coreruleset-${CRS_RELEASE}.tar.gz.asc v${CRS_RELEASE}.tar.gz; \ + tar -zxf v${CRS_RELEASE}.tar.gz --strip-components=1 -C /opt/owasp-crs; \ + rm -f v${CRS_RELEASE}.tar.gz coreruleset-${CRS_RELEASE}.tar.gz.asc; \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf FROM openresty/openresty:${OPENRESTY_VERSION}-alpine-fat @@ -245,7 +245,7 @@ RUN set -eux; \ mkdir /var/log/nginx; \ mkdir -p /tmp/modsecurity/data; \ mkdir -p /tmp/modsecurity/upload; \ - mkdir -p /tmp/modsecurity/tmp; \ + mkdir -p /tmp/modsecurity/tmp; \ mkdir -p /usr/local/modsecurity; \ # Comment out the SecDisableBackendCompression option since it is not supported in V3 sed -i 's/^\(SecDisableBackendCompression .*\)/# \1/' /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template; \ From 1acb04cf423bd46423793eac0fd0398b6abd0a54 Mon Sep 17 00:00:00 2001 From: Visshal Natarajan Date: Fri, 27 Sep 2024 11:23:13 +0800 Subject: [PATCH 5/5] Update Dockerfile-alpine --- openresty/Dockerfile-alpine | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index e81451b..b0f682d 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -19,6 +19,7 @@ RUN set -eux; \ curl-dev \ g++ \ gcc \ + geoip-dev \ git \ libc-dev \ libfuzzy2-dev \ @@ -52,7 +53,7 @@ RUN set -eux; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-lmdb --enable-silent-rules --with-pcre2; \ + ./configure --with-yajl --with-ssdeep --with-lmdb --with-geoip --enable-silent-rules --with-pcre2 --with-maxmind; \ make install; \ strip /usr/local/modsecurity/lib/lib*.so* @@ -68,7 +69,7 @@ RUN set -eux; \ COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \ eval ./configure $COMPILEOPTIONS --add-dynamic-module=../../../ModSecurity-nginx; \ make modules; \ - cp objs/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/; \ + cp objs/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -98,12 +99,12 @@ RUN set -eux; \ curl \ gnupg; \ mkdir /opt/owasp-crs; \ - curl -SL https://github.com/coreruleset/coreruleset/archive/v${CRS_RELEASE}.tar.gz -o v${CRS_RELEASE}.tar.gz; \ - curl -SL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}.tar.gz.asc -o coreruleset-${CRS_RELEASE}.tar.gz.asc; \ + curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz -o v${CRS_RELEASE}-minimal.tar.gz; \ + curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc -o coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ gpg --fetch-key https://coreruleset.org/security.asc; \ - gpg --verify coreruleset-${CRS_RELEASE}.tar.gz.asc v${CRS_RELEASE}.tar.gz; \ - tar -zxf v${CRS_RELEASE}.tar.gz --strip-components=1 -C /opt/owasp-crs; \ - rm -f v${CRS_RELEASE}.tar.gz coreruleset-${CRS_RELEASE}.tar.gz.asc; \ + gpg --verify coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc v${CRS_RELEASE}-minimal.tar.gz; \ + tar -zxf v${CRS_RELEASE}-minimal.tar.gz --strip-components=1 -C /opt/owasp-crs; \ + rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf FROM openresty/openresty:${OPENRESTY_VERSION}-alpine-fat @@ -245,7 +246,7 @@ RUN set -eux; \ mkdir /var/log/nginx; \ mkdir -p /tmp/modsecurity/data; \ mkdir -p /tmp/modsecurity/upload; \ - mkdir -p /tmp/modsecurity/tmp; \ + mkdir -p /tmp/modsecurity/tmp; \ mkdir -p /usr/local/modsecurity; \ # Comment out the SecDisableBackendCompression option since it is not supported in V3 sed -i 's/^\(SecDisableBackendCompression .*\)/# \1/' /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template; \