Skip to content

Commit

Permalink
feat: add nginx modules as parameter
Browse files Browse the repository at this point in the history
Signed-off-by: Felipe Zipitria <[email protected]>
  • Loading branch information
fzipi committed Dec 29, 2024
1 parent 0fd52be commit a7d160a
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 15 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ jobs:
- name: Verify ${{ matrix.target }}
run: |
[ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ]
if "${{ matrix.target }}" == "nginx" ; then
if grep -q "nginx <<< ${{ matrix.target }}" ; then
curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd
grep -q "HTTP/1.1 403 Forbidden" headers.txt
grep -q "Access-Control-Allow-Origin: *" headers.txt
Expand Down
8 changes: 8 additions & 0 deletions docker-bake.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,14 @@ variable "REPOS" {
]
}

variable "nginx-dynamic-modules" {
# List of dynamic modules to include in the nginx build
default = [
"owasp-modsecurity/ModSecurity-nginx",
"openresty/headers-more-nginx-module"
]
}

function "major" {
params = [version]
result = split(".", version)[0]
Expand Down
18 changes: 11 additions & 7 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build
ARG MODSEC3_VERSION="n/a"
ARG LMDB_VERSION="n/a"
ARG LUA_VERSION="n/a"
ARG NGINX_DYNAMIC_MODULES="n/a"

USER root

Expand Down Expand Up @@ -56,15 +57,19 @@ RUN set -eux; \

# Build modules
RUN set -eux; \
git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \
for module in ${NGINX_DYNAMIC_MODULES}; \
do; \
repo=$(awk -F'/' '{print $2}' <<< $module); \
git clone -b master --depth 1 https://github.com/${module}.git; \
modules=+("--add-dynamic-module=../${repo}"); \
done; \
curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
cd ./nginx-${NGINX_VERSION}; \
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \
./configure --with-compat ${modules[@]} ;\
make modules; \
strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \
cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \
strip objs/*.so; \
cp objs/*.so /etc/nginx/modules/; \
mkdir /etc/modsecurity.d; \
curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \
-o /etc/modsecurity.d/unicode.mapping
Expand Down Expand Up @@ -198,8 +203,7 @@ ENV \
BLOCKING_PARANOIA=1

COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/
COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so
COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so
COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/
COPY --from=build /usr/local/lib/liblmdb.so /usr/local/lib/
COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/
COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping
Expand Down
17 changes: 10 additions & 7 deletions nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -53,15 +53,19 @@ RUN set -eux; \

# Build modules
RUN set -eux; \
git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \
git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \
for module in ${NGINX_DYNAMIC_MODULES}; \
do; \
repo=$(awk -F'/' '{print $2}' <<< $module); \
git clone -b master --depth 1 https://github.com/${module}.git; \
modules=+("--add-dynamic-module=../${repo}"); \
done; \
curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
cd ./nginx-${NGINX_VERSION}; \
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \
./configure --with-compat ${modules[@]} ;\
make modules; \
strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \
cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \
strip objs/*.so; \
cp objs/*.so /etc/nginx/modules/; \
mkdir /etc/modsecurity.d; \
curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \
-o /etc/modsecurity.d/unicode.mapping
Expand Down Expand Up @@ -194,8 +198,7 @@ ENV \
BLOCKING_PARANOIA=1

COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/
COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so
COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so
COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/
COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/
COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping
COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
Expand Down

0 comments on commit a7d160a

Please sign in to comment.