From a7d160acf40e7d5e89f0d48b9b5e1be4cdc8617b Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sun, 29 Dec 2024 16:46:05 -0300 Subject: [PATCH] feat: add nginx modules as parameter Signed-off-by: Felipe Zipitria --- .github/workflows/verifyimage.yml | 2 +- docker-bake.hcl | 8 ++++++++ nginx/Dockerfile | 18 +++++++++++------- nginx/Dockerfile-alpine | 17 ++++++++++------- 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 3174b9f..7467a4e 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -78,7 +78,7 @@ jobs: - name: Verify ${{ matrix.target }} run: | [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] - if "${{ matrix.target }}" == "nginx" ; then + if grep -q "nginx <<< ${{ matrix.target }}" ; then curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd grep -q "HTTP/1.1 403 Forbidden" headers.txt grep -q "Access-Control-Allow-Origin: *" headers.txt diff --git a/docker-bake.hcl b/docker-bake.hcl index 9553a67..a5d636e 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -55,6 +55,14 @@ variable "REPOS" { ] } +variable "nginx-dynamic-modules" { + # List of dynamic modules to include in the nginx build + default = [ + "owasp-modsecurity/ModSecurity-nginx", + "openresty/headers-more-nginx-module" + ] +} + function "major" { params = [version] result = split(".", version)[0] diff --git a/nginx/Dockerfile b/nginx/Dockerfile index bed950a..ced432a 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -5,6 +5,7 @@ FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build ARG MODSEC3_VERSION="n/a" ARG LMDB_VERSION="n/a" ARG LUA_VERSION="n/a" +ARG NGINX_DYNAMIC_MODULES="n/a" USER root @@ -56,15 +57,19 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ + for module in ${NGINX_DYNAMIC_MODULES}; \ + do; \ + repo=$(awk -F'/' '{print $2}' <<< $module); \ + git clone -b master --depth 1 https://github.com/${module}.git; \ + modules=+("--add-dynamic-module=../${repo}"); \ + done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ + ./configure --with-compat ${modules[@]} ;\ make modules; \ - strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ - cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ + strip objs/*.so; \ + cp objs/*.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -198,8 +203,7 @@ ENV \ BLOCKING_PARANOIA=1 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ -COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so -COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so +COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/ COPY --from=build /usr/local/lib/liblmdb.so /usr/local/lib/ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index 08a82af..2a2fc34 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -53,15 +53,19 @@ RUN set -eux; \ # Build modules RUN set -eux; \ - git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - git clone -b master --depth 1 https://github.com/openresty/headers-more-nginx-module.git; \ + for module in ${NGINX_DYNAMIC_MODULES}; \ + do; \ + repo=$(awk -F'/' '{print $2}' <<< $module); \ + git clone -b master --depth 1 https://github.com/${module}.git; \ + modules=+("--add-dynamic-module=../${repo}"); \ + done; \ curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \ tar -xzf nginx-${NGINX_VERSION}.tar.gz; \ cd ./nginx-${NGINX_VERSION}; \ - ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module; \ + ./configure --with-compat ${modules[@]} ;\ make modules; \ - strip objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so; \ - cp objs/ngx_http_modsecurity_module.so objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules/; \ + strip objs/*.so; \ + cp objs/*.so /etc/nginx/modules/; \ mkdir /etc/modsecurity.d; \ curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ -o /etc/modsecurity.d/unicode.mapping @@ -194,8 +198,7 @@ ENV \ BLOCKING_PARANOIA=1 COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ -COPY --from=build /etc/nginx/modules/ngx_http_modsecurity_module.so /etc/nginx/modules/ngx_http_modsecurity_module.so -COPY --from=build /etc/nginx/modules/ngx_http_headers_more_filter_module.so /etc/nginx/modules/ngx_http_headers_more_filter_module.so +COPY --from=build /etc/nginx/modules/*.so /etc/nginx/modules/ COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs