Merge pull request #181 from theseion/merge-develop

chore: new release
coreruleset · Jan 8, 2024 · 5759699 · 5759699
2 parents 89bd72d + 6a77f90
commit 5759699
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 31 deletions.
diff --git a/README-containers.md b/README-containers.md
@@ -17,17 +17,17 @@ The Core Rule Set (CRS) is a set of generic attack detection rules for use with
 
 ## Supported tags and respective `Dockerfile` links
 
-* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5*
 
 🆕 We added healthchecks to the images. Containers already return HTTP status code 200 when accessing the `/healthz` URI. When a container has a healthcheck specified, it has a _health status_ in addition to its normal status. This status is initially `starting`. Whenever a health check passes, it becomes `healthy` (whatever state it was previously in). After a certain number of consecutive failures, it becomes `unhealthy`. See <https://docs.docker.com/engine/reference/builder/#healthcheck> for more information.
 
 ## Supported variants
 
 We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples:
 
-* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
 
 ## Production usage
 
@@ -36,9 +36,9 @@ We also build [alpine linux](https://www.alpinelinux.org/) variants of the base
 ## Supported architectures
 
 * linux/amd64
-* linux/i386
-* linux/arm64
 * linux/arm/v7
+* linux/arm64/v8
+* linux/i386
 
 ## Quick reference
 

diff --git a/README.md b/README.md
@@ -14,8 +14,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 
 ## Supported tags and respective `Dockerfile` links
 
-* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5*
 
 ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx` or `owasp/modsecurity-crs:apache`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-202209141209` for example. You have been warned.
 
@@ -25,8 +25,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 
 We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples:
 
-* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
-* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
+* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5*
 
 ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx-alpine` or `owasp/modsecurity-crs:apache-alpine`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-alpine-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-alpine-202209141209` for example. You have been warned.
 
@@ -57,17 +57,17 @@ docker buildx bake -f ./docker-bake.hcl --print
 We are building now for these architectures:
 
 * linux/amd64
-* linux/i386
-* linux/arm64
 * linux/arm/v7
+* linux/arm64/v8
+* linux/i386
 
 You can find additional examples on how to use `buildx` in this repository's GitHub act
 We added the [docker buildx](https://github.com/docker/buildx) support to our docker builds so additional architectures are supported now. As we create our containers based on the official apache and nginx ones, we can only support the architectures they support.
 
 To build a specific target for a single platform only (replace target and platform strings in the example with the your choices):
 
 ```bash
-docker buildx bake -f docker-bake.hcl --set target.platforms=linux/amd64 nginx-alpine
+docker buildx bake -f docker-bake.hcl --set "*.platform=linux/amd64" nginx-alpine
 ```
 
 ## CRS Versions
@@ -103,7 +103,7 @@ ModSecurity is an open source, cross platform Web Application Firewall (WAF) eng
 
 If using the [Nginx environment variables](https://github.com/coreruleset/modsecurity-crs-docker#nginx-env-variables) is not enough for your use case, you can mount your own `nginx.conf` file as the new template for generating the base config.
 
-An example can be seen in the [docker-compose](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/docker-compose.yml) file.
+An example can be seen in the [docker-compose](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/docker-compose.yaml) file.
 
 > 💬 What happens if I want to make changes in a different file, like `/etc/nginx/conf.d/default.conf`?
 > You mount your local file, e.g. `nginx/default.conf` as the new template: `/etc/nginx/templates/conf.d/default.conf.template`. You can do this similarly with other files. Files in the templates directory will be copied and subdirectories will be preserved.

diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -1,8 +1,9 @@
-ARG APACHE_VERSION=2.4.57
+ARG APACHE_VERSION=2.4.58
 
 FROM httpd:${APACHE_VERSION} as build
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 RUN set -eux; \
     echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
@@ -20,7 +21,7 @@ RUN set -eux; \
         libtool \
         libxml2-dev \
         libyajl-dev \
-        lua5.2-dev \
+        lua${LUA_VERSION}-dev \
         make \
         pkgconf \
         wget
@@ -57,7 +58,8 @@ RUN set -eux; \
 
 FROM httpd:${APACHE_VERSION}
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -161,6 +163,7 @@ RUN set -eux; \
         iproute2 \
         libcurl3-gnutls \
         libfuzzy2 \
+        liblua${LUA_VERSION} \
         libxml2 \
         libyajl2; \
     update-ca-certificates -f; \

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -1,8 +1,9 @@
-ARG APACHE_VERSION=2.4.57
+ARG APACHE_VERSION=2.4.58
 
 FROM httpd:${APACHE_VERSION}-alpine as build
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 # see https://httpd.apache.org/docs/2.4/install.html#requirements
 RUN set -eux; \
@@ -27,8 +28,8 @@ RUN set -eux; \
     libtool \
     lmdb-dev \
     libxml2-dev \
+    lua${LUA_VERSION}-dev \
     yajl-dev \
-    lua-dev \
     make \
     openssl \
     openssl-dev \
@@ -67,7 +68,8 @@ RUN set -eux; \
 
 FROM httpd:${APACHE_VERSION}-alpine
 
-ARG MODSEC_VERSION=2.9.7
+ARG MODSEC_VERSION=2.9.7 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -109,6 +111,7 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
     MODSEC_RESP_BODY_LIMIT_ACTION="ProcessPartial" \
     MODSEC_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \
     MODSEC_RULE_ENGINE=on \
+    MODSEC_SERVER_SIGNATURE="Apache" \
     MODSEC_STATUS_ENGINE="Off" \
     MODSEC_TAG=modsecurity \
     MODSEC_TMP_DIR=/tmp/modsecurity/tmp \
@@ -128,6 +131,8 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \
     REQ_HEADER_FORWARDED_PROTO='https' \
     SERVER_ADMIN=root@localhost \
     SERVER_NAME=localhost \
+    SERVER_SIGNATURE=Off \
+    SERVER_TOKENS=Full \
     SSL_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     SSL_ENGINE=on \
     SSL_HONOR_CIPHER_ORDER=off \
@@ -166,14 +171,16 @@ RUN set -eux; \
         iproute2 \
         libfuzzy2 \
         libxml2 \
+        lua${LUA_VERSION} \
         moreutils \
         openssl \
         sed \
         tzdata \
         yajl; \
     ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
     sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \
-    sed -i -E 's|(ServerTokens) Full|\1 Prod|' /usr/local/apache2/conf/extra/httpd-default.conf; \
+    sed -i -E 's|(ServerTokens) Full|\1 ${SERVER_TOKENS}|' /usr/local/apache2/conf/extra/httpd-default.conf; \
+    sed -i -E 's|(ServerSignature) Off|\1 ${SERVER_SIGNATURE}|' /usr/local/apache2/conf/extra/httpd-default.conf; \
     sed -i -E 's|#(ServerName) www.example.com:80|\1 ${SERVER_NAME}|' /usr/local/apache2/conf/httpd.conf; \
     sed -i -E 's|(ServerAdmin) [email protected]|\1 ${SERVER_ADMIN}|' /usr/local/apache2/conf/httpd.conf; \
     sed -i -E 's|^(\s*CustomLog)(\s+\S+)+|\1 ${ACCESSLOG} modsec "env=!nologging"|g' /usr/local/apache2/conf/httpd.conf; \

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,9 +1,10 @@
-ARG NGINX_VERSION="1.24.0"
+ARG NGINX_VERSION="1.25.3"
 
 FROM nginx:${NGINX_VERSION} as build
 
 ARG MODSEC_VERSION=3.0.11 \
-    LMDB_VERSION=0.9.29
+    LMDB_VERSION=0.9.29 \
+    LUA_VERSION=5.3
 
 # Note: libpcre3-dev (PCRE 1) is required by the build description,
 # even though the build will use PCRE2.
@@ -19,7 +20,7 @@ RUN set -eux; \
         libcurl4-gnutls-dev \
         libfuzzy-dev \
         libgeoip-dev \
-        liblua5.3-dev \
+        liblua${LUA_VERSION}-dev \
         libpcre3-dev \
         libpcre2-dev \
         libtool \
@@ -96,7 +97,8 @@ RUN set -eux; \
 FROM nginx:${NGINX_VERSION}
 
 ARG MODSEC_VERSION=3.0.11 \
-    LMDB_VERSION=0.9.29
+    LMDB_VERSION=0.9.29 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -190,7 +192,7 @@ RUN set -eux; \
         curl \
         libcurl4-gnutls-dev \
         libfuzzy2 \
-        liblua5.3 \
+        liblua${LUA_VERSION} \
         libxml2 \
         libyajl2 \
         moreutils; \

diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
@@ -1,8 +1,9 @@
-ARG NGINX_VERSION="1.24.0"
+ARG NGINX_VERSION="1.25.3"
 
 FROM nginx:${NGINX_VERSION}-alpine as build
 
-ARG MODSEC_VERSION=3.0.11
+ARG MODSEC_VERSION=3.0.11 \
+    LUA_VERSION=5.3
 
 # Note: pcre-dev (PCRE 1) is required by the build description,
 # even though the build will use PCRE2.
@@ -25,6 +26,7 @@ RUN set -eux; \
         libxml2-dev \
         linux-headers \
         lmdb-dev \
+        lua${LUA_VERSION}-dev \
         make \
         openssl \
         openssl-dev \
@@ -90,7 +92,8 @@ RUN set -eux; \
 
 FROM nginx:${NGINX_VERSION}-alpine
 
-ARG MODSEC_VERSION=3.0.11
+ARG MODSEC_VERSION=3.0.11 \
+    LUA_VERSION=5.3
 
 LABEL maintainer="Felipe Zipitria <[email protected]>"
 
@@ -185,6 +188,7 @@ RUN set -eux; \
         libstdc++ \
         libxml2-dev \
         lmdb-dev \
+        lua${LUA_VERSION} \
         moreutils \
         openssl \
         tzdata \