From 5224ce902dd3568789f1786b19bd013f288cfb38 Mon Sep 17 00:00:00 2001 From: Max Leske Date: Thu, 21 Dec 2023 07:07:45 +0100 Subject: [PATCH] chore: update dependencies - make Lua version an ARG - update httpd to 2.4.58 - update nginx to 1.25.3 --- README-containers.md | 8 ++++---- README.md | 8 ++++---- apache/Dockerfile | 12 +++++++----- apache/Dockerfile-alpine | 12 +++++++----- nginx/Dockerfile | 12 +++++++----- nginx/Dockerfile-alpine | 12 +++++++----- 6 files changed, 36 insertions(+), 28 deletions(-) diff --git a/README-containers.md b/README-containers.md index 0cd53393..9e1ee282 100644 --- a/README-containers.md +++ b/README-containers.md @@ -17,8 +17,8 @@ The Core Rule Set (CRS) is a set of generic attack detection rules for use with ## Supported tags and respective `Dockerfile` links -* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5* -* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5* +* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5* +* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5* 🆕 We added healthchecks to the images. Containers already return HTTP status code 200 when accessing the `/healthz` URI. When a container has a healthcheck specified, it has a _health status_ in addition to its normal status. This status is initially `starting`. Whenever a health check passes, it becomes `healthy` (whatever state it was previously in). After a certain number of consecutive failures, it becomes `unhealthy`. See for more information. @@ -26,8 +26,8 @@ The Core Rule Set (CRS) is a set of generic attack detection rules for use with We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples: -* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5* -* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5* +* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5* +* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5* ## Production usage diff --git a/README.md b/README.md index 9beb5fcd..33d0ce7f 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng ## Supported tags and respective `Dockerfile` links -* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.24 official stable base image, and latest stable Core Rule Set 3.3.5* -* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.56 official stable base image, and latest stable Core Rule Set 3.3.5* +* `3-nginx-YYYYMMDDHHMM`, `3.3-nginx-YYYYMMDDHHMM`, `3.3.5-nginx-YYYYMMDDHHMM`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.25.3 official stable base image, and latest stable Core Rule Set 3.3.5* +* `3-apache-YYYYMMDDHHMM`, `3.3-apache-YYYYMMDDHHMM`, `3.3.5-apache-YYYYMMDDHHMM`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4.58 official stable base image, and latest stable Core Rule Set 3.3.5* ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx` or `owasp/modsecurity-crs:apache`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-202209141209` for example. You have been warned. @@ -25,8 +25,8 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng We also build [alpine linux](https://www.alpinelinux.org/) variants of the base images, using the `-alpine` suffix. Examples: -* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.24 official alpine stable base image, and latest stable Core Rule Set 3.3.5* -* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.56 official alpine stable base image, and latest stable Core Rule Set 3.3.5* +* `3-nginx-alpine-YYYYMMDDHHMM`, `3.3-nginx-alpine-YYYYMMDDHHMM`, `3.3.5-nginx-alpine-YYYYMMDDHHMM`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.25.3 official alpine stable base image, and latest stable Core Rule Set 3.3.5* +* `3-apache-alpine-YYYYMMDDHHMM`, `3.3-apache-alpine-YYYYMMDDHHMM`, `3.3.5-apache-alpine-YYYYMMDDHHMM`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4.58 official alpine stable base image, and latest stable Core Rule Set 3.3.5* ⚠️ We changed tags to [support production usage](https://github.com/coreruleset/modsecurity-crs-docker/issues/67). Now, if you want to use the "rolling version", use the tag `owasp/modsecurity-crs:nginx-alpine` or `owasp/modsecurity-crs:apache-alpine`. If you need a stable long term image, use the one with the full CRS version, in addition to the build date in `YYYYMMDDHHMM` format, example `owasp/modsecurity-crs:3.3.5-nginx-alpine-202209141209` or `owasp/modsecurity-crs:3.3.5-apache-alpine-202209141209` for example. You have been warned. diff --git a/apache/Dockerfile b/apache/Dockerfile index 5e884329..29c9ae78 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -1,8 +1,9 @@ -ARG APACHE_VERSION=2.4.57 +ARG APACHE_VERSION=2.4.58 FROM httpd:${APACHE_VERSION} as build -ARG MODSEC_VERSION=2.9.7 +ARG MODSEC_VERSION=2.9.7 \ + LUA_VERSION=5.3 RUN set -eux; \ echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ @@ -20,7 +21,7 @@ RUN set -eux; \ libtool \ libxml2-dev \ libyajl-dev \ - lua5.3-dev \ + lua${LUA_VERSION}-dev \ make \ pkgconf \ wget @@ -57,7 +58,8 @@ RUN set -eux; \ FROM httpd:${APACHE_VERSION} -ARG MODSEC_VERSION=2.9.7 +ARG MODSEC_VERSION=2.9.7 \ + LUA_VERSION=5.3 LABEL maintainer="Felipe Zipitria " @@ -161,7 +163,7 @@ RUN set -eux; \ iproute2 \ libcurl3-gnutls \ libfuzzy2 \ - liblua5.3 \ + liblua${LUA_VERSION} \ libxml2 \ libyajl2; \ update-ca-certificates -f; \ diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine index 4c208593..a0397d49 100644 --- a/apache/Dockerfile-alpine +++ b/apache/Dockerfile-alpine @@ -1,8 +1,9 @@ -ARG APACHE_VERSION=2.4.57 +ARG APACHE_VERSION=2.4.58 FROM httpd:${APACHE_VERSION}-alpine as build -ARG MODSEC_VERSION=2.9.7 +ARG MODSEC_VERSION=2.9.7 \ + LUA_VERSION=5.3 # see https://httpd.apache.org/docs/2.4/install.html#requirements RUN set -eux; \ @@ -27,7 +28,7 @@ RUN set -eux; \ libtool \ lmdb-dev \ libxml2-dev \ - lua5.3-dev \ + lua${LUA_VERSION}-dev \ yajl-dev \ make \ openssl \ @@ -67,7 +68,8 @@ RUN set -eux; \ FROM httpd:${APACHE_VERSION}-alpine -ARG MODSEC_VERSION=2.9.7 +ARG MODSEC_VERSION=2.9.7 \ + LUA_VERSION=5.3 LABEL maintainer="Felipe Zipitria " @@ -169,7 +171,7 @@ RUN set -eux; \ iproute2 \ libfuzzy2 \ libxml2 \ - lua5.3 \ + lua${LUA_VERSION} \ moreutils \ openssl \ sed \ diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 72c180bc..e1c2dbf0 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,9 +1,10 @@ -ARG NGINX_VERSION="1.24.0" +ARG NGINX_VERSION="1.25.3" FROM nginx:${NGINX_VERSION} as build ARG MODSEC_VERSION=3.0.11 \ - LMDB_VERSION=0.9.29 + LMDB_VERSION=0.9.29 \ + LUA_VERSION=5.3 # Note: libpcre3-dev (PCRE 1) is required by the build description, # even though the build will use PCRE2. @@ -19,7 +20,7 @@ RUN set -eux; \ libcurl4-gnutls-dev \ libfuzzy-dev \ libgeoip-dev \ - liblua5.3-dev \ + liblua${LUA_VERSION}-dev \ libpcre3-dev \ libpcre2-dev \ libtool \ @@ -96,7 +97,8 @@ RUN set -eux; \ FROM nginx:${NGINX_VERSION} ARG MODSEC_VERSION=3.0.11 \ - LMDB_VERSION=0.9.29 + LMDB_VERSION=0.9.29 \ + LUA_VERSION=5.3 LABEL maintainer="Felipe Zipitria " @@ -190,7 +192,7 @@ RUN set -eux; \ curl \ libcurl4-gnutls-dev \ libfuzzy2 \ - liblua5.3 \ + liblua${LUA_VERSION} \ libxml2 \ libyajl2 \ moreutils; \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index cd8df8b0..8a1d5b31 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -1,8 +1,9 @@ -ARG NGINX_VERSION="1.24.0" +ARG NGINX_VERSION="1.25.3" FROM nginx:${NGINX_VERSION}-alpine as build -ARG MODSEC_VERSION=3.0.11 +ARG MODSEC_VERSION=3.0.11 \ + LUA_VERSION=5.3 # Note: pcre-dev (PCRE 1) is required by the build description, # even though the build will use PCRE2. @@ -25,7 +26,7 @@ RUN set -eux; \ libxml2-dev \ linux-headers \ lmdb-dev \ - lua5.3-dev \ + lua${LUA_VERSION}-dev \ make \ openssl \ openssl-dev \ @@ -91,7 +92,8 @@ RUN set -eux; \ FROM nginx:${NGINX_VERSION}-alpine -ARG MODSEC_VERSION=3.0.11 +ARG MODSEC_VERSION=3.0.11 \ + LUA_VERSION=5.3 LABEL maintainer="Felipe Zipitria " @@ -186,7 +188,7 @@ RUN set -eux; \ libstdc++ \ libxml2-dev \ lmdb-dev \ - lua5.3 \ + lua${LUA_VERSION} \ moreutils \ openssl \ tzdata \