From 7a8176fd54827f865b195f067176dacee2e94da7 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Mon, 23 Dec 2024 14:51:45 -0300 Subject: [PATCH] chore: remove openresty, no maintainer Signed-off-by: Felipe Zipitria --- README-containers.md | 2 - README.md | 14 +- docker-bake.hcl | 19 -- openresty/Dockerfile-alpine | 259 ------------------ .../10-generate-certificate.sh | 12 - .../20-envsubst-on-templates.sh | 39 --- .../25-listen-on-ipv6-by-default.sh | 67 ----- .../30-tune-worker-processes.sh | 188 ------------- .../90-copy-modsecurity-config.sh | 14 - .../docker-entrypoint.d/91-update-resolver.sh | 12 - .../docker-entrypoint.d/92-update-real_ip.sh | 13 - .../93-update-proxy-ssl-config.sh | 14 - openresty/docker-entrypoint.sh | 47 ---- .../includes/location_common.conf.template | 19 -- openresty/templates/nginx.conf.template | 32 --- 15 files changed, 5 insertions(+), 746 deletions(-) delete mode 100644 openresty/Dockerfile-alpine delete mode 100755 openresty/docker-entrypoint.d/10-generate-certificate.sh delete mode 100755 openresty/docker-entrypoint.d/20-envsubst-on-templates.sh delete mode 100755 openresty/docker-entrypoint.d/25-listen-on-ipv6-by-default.sh delete mode 100755 openresty/docker-entrypoint.d/30-tune-worker-processes.sh delete mode 100755 openresty/docker-entrypoint.d/90-copy-modsecurity-config.sh delete mode 100755 openresty/docker-entrypoint.d/91-update-resolver.sh delete mode 100755 openresty/docker-entrypoint.d/92-update-real_ip.sh delete mode 100755 openresty/docker-entrypoint.d/93-update-proxy-ssl-config.sh delete mode 100755 openresty/docker-entrypoint.sh delete mode 100644 openresty/templates/includes/location_common.conf.template delete mode 100644 openresty/templates/nginx.conf.template diff --git a/README-containers.md b/README-containers.md index 0ff2b199..d487fd9e 100644 --- a/README-containers.md +++ b/README-containers.md @@ -22,7 +22,6 @@ The stable tag format is `-[-]-`. Examples: * `4-nginx-202401121309` * `4.0-apache-alpine-202401121309` - * `4.0.0-openresty-alpine-fat-202401121309` ### Rolling Tags @@ -36,4 +35,3 @@ The stable tag format is `[-]`. Examples: * `nginx` * `apache-alpine` - * `openresty-alpine-fat` diff --git a/README.md b/README.md index b3c7ff32..951773e0 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ The stable tag format is `-[-]-`. Examples: * `4-nginx-202401121309` * `4.0-apache-alpine-202401121309` - * `4.0.0-openresty-alpine-fat-202401121309` ### Rolling Tags @@ -40,22 +39,19 @@ The stable tag format is `[-]`. Examples: * `nginx` * `apache-alpine` - * `openresty-alpine-fat` ## OS Variants * nginx – *latest stable ModSecurity v3 on Nginx 1.27.3 official stable base image, and latest stable OWASP CRS 4.9.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.9.0* - * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) * Apache httpd – *last stable ModSecurity v2 on Apache 2.4.62 official stable base image, and latest stable OWASP CRS 4.9.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) ### Notes regarding Openresty version of this image -We currently only provide a version of the Openresty image based on **Alpine Linux**. The Dockerfile for Openresty resides in the [docker-openresty repository](https://github.com/openresty/docker-openresty/blob/master/alpine/Dockerfile.fat). +* The version was removed as no maintainer was found. ## Supported architectures @@ -159,16 +155,16 @@ These variables are common to image variants and will set defaults based on the | METRICS_ALLOW_FROM | A single range of IP adresses that can access the metrics | `127.0.0.0/255.0.0.0 ::1/128` | `127.0.0.0/24` | | METRICS_DENY_FROM | A range of IP adresses that cannot access the metrics | `All` | `all` | | METRICSLOG | Location of metrics log file | `/dev/null` | - | -| PROXY_SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/proxy.crt` | `/etc/nginx/conf/proxy.crt` / `/usr/local/openresty/nginx/conf/proxy.crt` | -| PROXY_SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/proxy.key` | `/etc/nginx/conf/proxy.key` / `/usr/local/openresty/nginx/conf/proxy.key` | +| PROXY_SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/proxy.crt` | `/etc/nginx/conf/proxy.crt` | +| PROXY_SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/proxy.key` | `/etc/nginx/conf/proxy.key` | | PROXY_SSL_CIPHERS| A string indicating the cipher suite to connect to the backend via TLS | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"` | - | | PROXY_SSL_PROTOCOLS | TLS protocols to enable for the connection to the backend | `"all -SSLv3 -TLSv1 -TLSv1.1"` | `TTLSv1.2 TLSv1.3` | | PROXY_SSL | SSL Proxy Engine Operation Switch | `off` | - | | PROXY_SSL_VERIFY | A string value indicating the type of proxy server Certificate verification | `none` | `off` | | PROXY_TIMEOUT | Number of seconds for proxied requests to time out | `60` | `60s` | | SERVER_NAME | The server name | `localhost` | - | -| SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/server.crt` | `/etc/nginx/conf/server.crt` / `/usr/local/openresty/nginx/conf/server.crt` | -| SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/server.key` | `/etc/nginx/conf/server.key` / `/usr/local/openresty/nginx/conf/server.key` | +| SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/server.crt` | `/etc/nginx/conf/server.crt` | +| SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/server.key` | `/etc/nginx/conf/server.key` | | SSL_CIPHERS| A string indicating the cipher suite for incoming TLS connections | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"` | - | | SSL_OCSP_STAPLING | Enable / disable OCSP stapling | `On` | `on` | | SSL_PROTOCOLS | TLS protocols to enable for the connection to the backend | `"all -SSLv3 -TLSv1 -TLSv1.1"` | `TTLSv1.2 TLSv1.3` | diff --git a/docker-bake.hcl b/docker-bake.hcl index 4990ef1a..fbaf2e91 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -24,11 +24,6 @@ variable "httpd-version" { default = "2.4.62" } -variable "openresty-version" { - # renovate: depName=openresty/openresty datasource=docker - default = "1.25.3.1" -} - variable "lua-version" { default = "5.3" } @@ -103,7 +98,6 @@ group "default" { "apache-alpine", "nginx", "nginx-alpine", - "openresty-alpine-fat" ] } @@ -173,16 +167,3 @@ target "nginx-alpine" { ) } -target "openresty-alpine-fat" { - inherits = ["platforms-base"] - platforms = ["linux/amd64", "linux/arm64/v8"] - dockerfile="openresty/Dockerfile-alpine" - args = { - OPENRESTY_VERSION = "${openresty-version}" - NGINX_VERSION = patch(openresty-version) - LUA_MODULES = join(" ", lua-modules-luarocks) - } - tags = concat(tag("openresty-alpine-fat"), - vtag("${crs-version}", "openresty-alpine-fat") - ) -} diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine deleted file mode 100644 index e446d7e6..00000000 --- a/openresty/Dockerfile-alpine +++ /dev/null @@ -1,259 +0,0 @@ -# Current latest Openresty version is here. -# Also specify the nginx core used. (Openresty, adds their own version numbers after the nginx one, so we can't use the same number for both Openresty and nginx) -ARG OPENRESTY_VERSION="n/a" - -FROM openresty/openresty:${OPENRESTY_VERSION}-alpine-fat AS build - -ARG OPENRESTY_VERSION -ARG MODSEC3_VERSION="n/a" -ARG NGINX_VERSION="n/a" - -# Note: pcre-dev (PCRE 1) is required by the build description, -# even though the build will use PCRE2. -RUN set -eux; \ - apk add --no-cache --virtual .build-deps \ - autoconf \ - automake \ - ca-certificates \ - coreutils \ - curl-dev \ - g++ \ - gcc \ - geoip-dev \ - git \ - libc-dev \ - libfuzzy2-dev \ - libmaxminddb-dev \ - libstdc++ \ - libtool \ - libxml2-dev \ - libxml2 \ - libxslt-dev \ - libxslt \ - linux-headers \ - lmdb-dev \ - make \ - patch \ - pkgconfig \ - pcre-dev \ - pcre2-dev \ - yajl-dev \ - gd \ - gd-dev \ - zlib-dev - - -WORKDIR /sources - -# Download ModSecurity and compile it. -RUN set -eux; \ - git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC3_VERSION}" --depth 1 --recursive; \ - cd ModSecurity; \ - ARCH=$(gcc -print-multiarch); \ - sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \ - sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \ - ./build.sh; \ - ./configure --with-yajl --with-ssdeep --with-lmdb --with-geoip --enable-silent-rules --with-pcre2 --with-maxmind; \ - make install; \ - strip /usr/local/modsecurity/lib/lib*.so* - -# We use latest version of the ModSecurity nginx connector. -# Download Openresty bundle for the specific version. We can then get the compilation options for nginx from the installed Openresty in the docker image to be used with the 'configure' script inside the openresty bundle to configure the ModSecurity-nginx module and then build it. I did not find the configure script inside the Openresty Docker image. -# Specify the LUAJIT_LIB and LUAJIT_INC that are already installed in the base image. -RUN set -eux; \ - git clone -b master --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git; \ - curl -sSL https://openresty.org/download/openresty-"${OPENRESTY_VERSION}".tar.gz | tar -xzf -; \ - cd "./openresty-${OPENRESTY_VERSION}/bundle/nginx-${NGINX_VERSION}"; \ - export LUAJIT_LIB="/usr/local/openresty/luajit/lib"; \ - export LUAJIT_INC="/usr/local/openresty/luajit/include/luajit-2.1"; \ - COMPILEOPTIONS=$(openresty -V 2>&1| grep -i "arguments"|cut -d ":" -f2-); \ - eval ./configure $COMPILEOPTIONS --add-dynamic-module=../../../ModSecurity-nginx; \ - make modules; \ - cp objs/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/; \ - mkdir /etc/modsecurity.d; \ - curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/unicode.mapping \ - -o /etc/modsecurity.d/unicode.mapping - -# Generate/Download Diffie-Hellman parameter files -RUN set -eux; \ - mkdir -p /usr/share/TLS; \ - curl -sSL https://ssl-config.mozilla.org/ffdhe2048.txt -o /usr/share/TLS/dhparam-2048.pem; \ - curl -sSL https://ssl-config.mozilla.org/ffdhe4096.txt -o /usr/share/TLS/dhparam-4096.pem - -FROM openresty/openresty:${OPENRESTY_VERSION}-alpine-fat AS crs_release - -ARG CRS_RELEASE - -# hadolint ignore=DL3008,SC2016 -RUN set -eux; \ - apk add --no-cache \ - ca-certificates \ - curl \ - gnupg; \ - mkdir /opt/owasp-crs; \ - curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz -o v${CRS_RELEASE}-minimal.tar.gz; \ - curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc -o coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ - gpg --fetch-key https://coreruleset.org/security.asc; \ - gpg --verify coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc v${CRS_RELEASE}-minimal.tar.gz; \ - tar -zxf v${CRS_RELEASE}-minimal.tar.gz --strip-components=1 -C /opt/owasp-crs; \ - rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ - mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf - -FROM openresty/openresty:${OPENRESTY_VERSION}-alpine-fat - -ARG MODSEC3_VERSION -ARG LUA_MODULES - -LABEL maintainer="Taavi Ansper " - -ENV \ - ACCESSLOG=/var/log/nginx/access.log \ - BACKEND=http://localhost:80 \ - DNS_SERVER= \ - ERRORLOG=/var/log/nginx/error.log \ - KEEPALIVE_TIMEOUT=60s \ - # Change LD_LIBRARY_PATH from normal nginx setup. Do not add /usr/lib or /lib - LD_LIBRARY_PATH=/usr/local/lib:/usr/local/openresty \ - LOGLEVEL=warn \ - METRICS_ALLOW_FROM='127.0.0.0/24' \ - METRICS_DENY_FROM='all' \ - METRICSLOG=/dev/null \ - MODSEC_ARGUMENT_SEPARATOR="&" \ - MODSEC_ARGUMENTS_LIMIT=1000 \ - MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG=/dev/stdout \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ - MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \ - MODSEC_AUDIT_LOG_TYPE=Serial \ - MODSEC_COOKIE_FORMAT=0 \ - MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \ - MODSEC_DATA_DIR=/tmp/modsecurity/data \ - MODSEC_DEBUG_LOG=/dev/null \ - MODSEC_DEBUG_LOGLEVEL=0 \ - MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ - MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ - MODSEC_DISABLE_BACKEND_COMPRESSION="Off" \ - MODSEC_PCRE_MATCH_LIMIT=100000 \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ - MODSEC_REQ_BODY_ACCESS=on \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ - MODSEC_REQ_BODY_LIMIT=13107200 \ - MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ - MODSEC_RESP_BODY_ACCESS=on \ - MODSEC_RESP_BODY_LIMIT=1048576 \ - MODSEC_RESP_BODY_LIMIT_ACTION="ProcessPartial" \ - MODSEC_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \ - MODSEC_RULE_ENGINE=on \ - MODSEC_STATUS_ENGINE="Off" \ - MODSEC_TAG=modsecurity \ - MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ - MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ - MODSEC_UNICODE_MAPPING=20127 \ - MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ - MODSEC_UPLOAD_FILE_MODE=0600 \ - MODSEC_UPLOAD_KEEP_FILES=Off \ - NGINX_ALWAYS_TLS_REDIRECT=off \ - NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \ - PORT=80 \ - PROXY_SSL_CERT_KEY=/usr/local/openresty/nginx/conf/proxy.key \ - PROXY_SSL_CERT=/usr/local/openresty/nginx/conf/proxy.crt \ - PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ - PROXY_SSL=off \ - PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - PROXY_SSL_VERIFY_DEPTH=1 \ - PROXY_SSL_VERIFY=off \ - PROXY_TIMEOUT=60s \ - REAL_IP_HEADER="X-REAL-IP" \ - REAL_IP_PROXY_HEADER="X-REAL-IP" \ - REAL_IP_RECURSIVE="on" \ - SERVER_NAME=localhost \ - SERVER_TOKENS=off \ - SET_REAL_IP_FROM="127.0.0.1" \ - SSL_CERT_KEY=/usr/local/openresty/nginx/conf/server.key \ - SSL_CERT=/usr/local/openresty/nginx/conf/server.crt \ - SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ - SSL_DH_BITS=2048 \ - SSL_OCSP_STAPLING=on \ - SSL_PORT=443 \ - SSL_PREFER_CIPHERS=off \ - SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - SSL_VERIFY_DEPTH=1 \ - SSL_VERIFY=off \ - WORKER_CONNECTIONS=1024 \ - # CRS specific variables - PARANOIA=1 \ - ANOMALY_INBOUND=5 \ - ANOMALY_OUTBOUND=4 \ - BLOCKING_PARANOIA=1 - -COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/ -COPY --from=build /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so -COPY --from=build /usr/share/TLS/dhparam-* /etc/ssl/certs/ -COPY --from=build /etc/modsecurity.d/unicode.mapping /etc/modsecurity.d/unicode.mapping -COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs -# We use the templating mechanism from the nginx image here. -# Everything from templates except the nginx configuration, is the same for Openresty. -COPY nginx/templates/conf.d /usr/local/openresty/nginx/templates/conf.d -COPY nginx/templates/includes /usr/local/openresty/nginx/templates/includes -COPY nginx/templates/modsecurity.d /usr/local/openresty/nginx/templates/modsecurity.d -# Copy the nginx configuration separately -COPY src/etc/modsecurity.d/modsecurity.conf /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity.conf.template -COPY src/etc/modsecurity.d/modsecurity-override.conf /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template -COPY src/etc/modsecurity.d/setup.conf /usr/local/openresty/nginx/templates/modsecurity.d/setup.conf.template -COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh -COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh -COPY src/bin/* /usr/local/bin/ - -# Openresty specific block. -COPY openresty/templates/nginx.conf.template /usr/local/openresty/nginx/templates -COPY openresty/docker-entrypoint.sh / -COPY openresty/docker-entrypoint.d/*.sh /docker-entrypoint.d/ - - -RUN set -eux; \ - apk add --no-cache \ - curl \ - curl-dev \ - libfuzzy2 \ - libmaxminddb-dev \ - libstdc++ \ - libxml2-dev \ - lmdb-dev \ - git \ - moreutils \ - tzdata \ - openssl \ - pcre \ - pcre2 \ - # Alpine needs GNU 'sed' because the 'sed' program shipped with busybox does not support 'z' parameter for separating lines with a 'NUL' character. - sed \ - yajl; \ - # Install lua modules here - for module in lua-resty-openidc ${LUA_MODULES}; do \ - luarocks install "${module}"; \ - done; \ - mkdir /var/log/nginx; \ - mkdir -p /tmp/modsecurity/data; \ - mkdir -p /tmp/modsecurity/upload; \ - mkdir -p /tmp/modsecurity/tmp; \ - mkdir -p /usr/local/modsecurity; \ - chown -R nobody:nobody /tmp/modsecurity; \ - # Comment out the SecDisableBackendCompression option since it is not supported in V3 - sed -i 's/^\(SecDisableBackendCompression .*\)/# \1/' /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template; \ - ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3.0; \ - ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3; \ - ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so; \ - ln -sv /opt/owasp-crs /etc/modsecurity.d/; \ - chmod -R g=u /var/log/ /var/run/ /usr/local/openresty/nginx/ /etc/modsecurity.d/ - -EXPOSE 80 - -HEALTHCHECK CMD /usr/local/bin/healthcheck - -# The Openresty image is not based on the nginx image. -# This Dockerfile integrates the docker-entrypoint and envsubst logic from there into here. -ENTRYPOINT ["/docker-entrypoint.sh"] - -CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"] diff --git a/openresty/docker-entrypoint.d/10-generate-certificate.sh b/openresty/docker-entrypoint.d/10-generate-certificate.sh deleted file mode 100755 index 9920607c..00000000 --- a/openresty/docker-entrypoint.d/10-generate-certificate.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -/usr/local/bin/generate-certificate /usr/local/openresty/nginx - -exit 0 diff --git a/openresty/docker-entrypoint.d/20-envsubst-on-templates.sh b/openresty/docker-entrypoint.d/20-envsubst-on-templates.sh deleted file mode 100755 index b90d9a9c..00000000 --- a/openresty/docker-entrypoint.d/20-envsubst-on-templates.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -set -e - -ME=$(basename $0) - -entrypoint_log() { - if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then - echo "$@" - fi -} - -auto_envsubst() { - local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/usr/local/openresty/nginx/templates}" - local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}" - local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/usr/local/openresty/nginx/conf}" - local filter="${NGINX_ENVSUBST_FILTER:-}" - - local template defined_envs relative_path output_path subdir - defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null )) - [ -d "$template_dir" ] || return 0 - if [ ! -w "$output_dir" ]; then - entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable" - return 0 - fi - find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do - relative_path="${template#$template_dir/}" - output_path="$output_dir/${relative_path%$suffix}" - subdir=$(dirname "$relative_path") - # create a subdirectory where the template file exists - mkdir -p "$output_dir/$subdir" - entrypoint_log "$ME: Running envsubst on $template to $output_path" - envsubst "$defined_envs" < "$template" > "$output_path" - done -} - -auto_envsubst - -exit 0 diff --git a/openresty/docker-entrypoint.d/25-listen-on-ipv6-by-default.sh b/openresty/docker-entrypoint.d/25-listen-on-ipv6-by-default.sh deleted file mode 100755 index 8c75c997..00000000 --- a/openresty/docker-entrypoint.d/25-listen-on-ipv6-by-default.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -# vim:sw=4:ts=4:et - -set -e - -entrypoint_log() { - if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then - echo "$@" - fi -} - -ME=$(basename $0) -DEFAULT_CONF_FILE="usr/local/openresty/nginx/conf/conf.d/default.conf" - -# check if we have ipv6 available -if [ ! -f "/proc/net/if_inet6" ]; then - entrypoint_log "$ME: info: ipv6 not available" - exit 0 -fi - -if [ ! -f "/$DEFAULT_CONF_FILE" ]; then - entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist" - exit 0 -fi - -# check if the file can be modified, e.g. not on a r/o filesystem -touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; } - -# check if the file is already modified, e.g. on a container restart -grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; } - -if [ -f "/etc/os-release" ]; then - . /etc/os-release -else - entrypoint_log "$ME: info: can not guess the operating system" - exit 0 -fi - -entrypoint_log "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE" - -case "$ID" in - "debian") - CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3) - echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || { - entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" - exit 0 - } - ;; - "alpine") - CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2) - echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || { - entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" - exit 0 - } - ;; - *) - entrypoint_log "$ME: info: Unsupported distribution" - exit 0 - ;; -esac - -# enable ipv6 on default.conf listen sockets -sed -i -E 's,listen 80;,listen 80;\n listen [::]:80;,' /$DEFAULT_CONF_FILE - -entrypoint_log "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE" - -exit 0 diff --git a/openresty/docker-entrypoint.d/30-tune-worker-processes.sh b/openresty/docker-entrypoint.d/30-tune-worker-processes.sh deleted file mode 100755 index 6314e52e..00000000 --- a/openresty/docker-entrypoint.d/30-tune-worker-processes.sh +++ /dev/null @@ -1,188 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -[ "${NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE:-}" ] || exit 0 - -touch /usr/local/openresty/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /usr/local/openresty/nginx/nginx.conf (read-only file system?)"; exit 0; } - -ceildiv() { - num=$1 - div=$2 - echo $(( (num + div - 1) / div )) -} - -get_cpuset() { - cpusetroot=$1 - cpusetfile=$2 - ncpu=0 - [ -f "$cpusetroot/$cpusetfile" ] || return 1 - for token in $( tr ',' ' ' < "$cpusetroot/$cpusetfile" ); do - case "$token" in - *-*) - count=$( seq $(echo "$token" | tr '-' ' ') | wc -l ) - ncpu=$(( ncpu+count )) - ;; - *) - ncpu=$(( ncpu+1 )) - ;; - esac - done - echo "$ncpu" -} - -get_quota() { - cpuroot=$1 - ncpu=0 - [ -f "$cpuroot/cpu.cfs_quota_us" ] || return 1 - [ -f "$cpuroot/cpu.cfs_period_us" ] || return 1 - cfs_quota=$( cat "$cpuroot/cpu.cfs_quota_us" ) - cfs_period=$( cat "$cpuroot/cpu.cfs_period_us" ) - [ "$cfs_quota" = "-1" ] && return 1 - [ "$cfs_period" = "0" ] && return 1 - ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) - [ "$ncpu" -gt 0 ] || return 1 - echo "$ncpu" -} - -get_quota_v2() { - cpuroot=$1 - ncpu=0 - [ -f "$cpuroot/cpu.max" ] || return 1 - cfs_quota=$( cut -d' ' -f 1 < "$cpuroot/cpu.max" ) - cfs_period=$( cut -d' ' -f 2 < "$cpuroot/cpu.max" ) - [ "$cfs_quota" = "max" ] && return 1 - [ "$cfs_period" = "0" ] && return 1 - ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) - [ "$ncpu" -gt 0 ] || return 1 - echo "$ncpu" -} - -get_cgroup_v1_path() { - needle=$1 - found= - foundroot= - mountpoint= - - [ -r "/proc/self/mountinfo" ] || return 1 - [ -r "/proc/self/cgroup" ] || return 1 - - while IFS= read -r line; do - case "$needle" in - "cpuset") - case "$line" in - *cpuset*) - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - break - ;; - esac - ;; - "cpu") - case "$line" in - *cpuset*) - ;; - *cpu,cpuacct*|*cpuacct,cpu|*cpuacct*|*cpu*) - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - break - ;; - esac - esac - done << __EOF__ -$( grep -F -- '- cgroup ' /proc/self/mountinfo ) -__EOF__ - - while IFS= read -r line; do - controller=$( echo "$line" | cut -d: -f 2 ) - case "$needle" in - "cpuset") - case "$controller" in - cpuset) - mountpoint=$( echo "$line" | cut -d: -f 3 ) - break - ;; - esac - ;; - "cpu") - case "$controller" in - cpu,cpuacct|cpuacct,cpu|cpuacct|cpu) - mountpoint=$( echo "$line" | cut -d: -f 3 ) - break - ;; - esac - ;; - esac -done << __EOF__ -$( grep -F -- 'cpu' /proc/self/cgroup ) -__EOF__ - - case "${found%% *}" in - "/") - foundroot="${found##* }$mountpoint" - ;; - "$mountpoint") - foundroot="${found##* }" - ;; - esac - echo "$foundroot" -} - -get_cgroup_v2_path() { - found= - foundroot= - mountpoint= - - [ -r "/proc/self/mountinfo" ] || return 1 - [ -r "/proc/self/cgroup" ] || return 1 - - while IFS= read -r line; do - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - done << __EOF__ -$( grep -F -- '- cgroup2 ' /proc/self/mountinfo ) -__EOF__ - - while IFS= read -r line; do - mountpoint=$( echo "$line" | cut -d: -f 3 ) -done << __EOF__ -$( grep -F -- '0::' /proc/self/cgroup ) -__EOF__ - - case "${found%% *}" in - "") - return 1 - ;; - "/") - foundroot="${found##* }$mountpoint" - ;; - "$mountpoint" | /../*) - foundroot="${found##* }" - ;; - esac - echo "$foundroot" -} - -ncpu_online=$( getconf _NPROCESSORS_ONLN ) -ncpu_cpuset= -ncpu_quota= -ncpu_cpuset_v2= -ncpu_quota_v2= - -cpuset=$( get_cgroup_v1_path "cpuset" ) && ncpu_cpuset=$( get_cpuset "$cpuset" "cpuset.effective_cpus" ) || ncpu_cpuset=$ncpu_online -cpu=$( get_cgroup_v1_path "cpu" ) && ncpu_quota=$( get_quota "$cpu" ) || ncpu_quota=$ncpu_online -cgroup_v2=$( get_cgroup_v2_path ) && ncpu_cpuset_v2=$( get_cpuset "$cgroup_v2" "cpuset.cpus.effective" ) || ncpu_cpuset_v2=$ncpu_online -cgroup_v2=$( get_cgroup_v2_path ) && ncpu_quota_v2=$( get_quota_v2 "$cgroup_v2" ) || ncpu_quota_v2=$ncpu_online - -ncpu=$( printf "%s\n%s\n%s\n%s\n%s\n" \ - "$ncpu_online" \ - "$ncpu_cpuset" \ - "$ncpu_quota" \ - "$ncpu_cpuset_v2" \ - "$ncpu_quota_v2" \ - | sort -n \ - | head -n 1 ) - -sed -i.bak -r 's/^(worker_processes)(.*)$/# Commented out by '"$ME"' on '"$(date)"'\n#\1\2\n\1 '"$ncpu"';/' /usr/local/openresty/nginx/nginx.conf diff --git a/openresty/docker-entrypoint.d/90-copy-modsecurity-config.sh b/openresty/docker-entrypoint.d/90-copy-modsecurity-config.sh deleted file mode 100755 index 162b530e..00000000 --- a/openresty/docker-entrypoint.d/90-copy-modsecurity-config.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -touch /etc/modsecurity.d/modsecurity-override.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/modsecurity.d/modsecurity-override.conf (read-only file system?)"; exit 1; } - -cp /usr/local/openresty/nginx/conf/modsecurity.d/*.conf /etc/modsecurity.d 2>/dev/null || { echo >&2 "$ME: error: cannot copy config files to /etc/modsecurity.d"; exit 2; } - -exit 0 diff --git a/openresty/docker-entrypoint.d/91-update-resolver.sh b/openresty/docker-entrypoint.d/91-update-resolver.sh deleted file mode 100755 index 5ddb6b45..00000000 --- a/openresty/docker-entrypoint.d/91-update-resolver.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -DNS_SERVER="${DNS_SERVER:-$(grep -i '^nameserver' /etc/resolv.conf | head -n1 | cut -d ' ' -f2)}" - -sed -i.bak -r 's/DNS_SERVER/'"${DNS_SERVER}"'/' /usr/local/openresty/nginx/conf/nginx.conf diff --git a/openresty/docker-entrypoint.d/92-update-real_ip.sh b/openresty/docker-entrypoint.d/92-update-real_ip.sh deleted file mode 100755 index 74caf2be..00000000 --- a/openresty/docker-entrypoint.d/92-update-real_ip.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -# split comma separated IP addresses into multiple `set_real_ip xxx;` lines -SET_REAL_IP_FROM="$(echo "${SET_REAL_IP_FROM}" | awk -F, '{for(i=1; i<=NF; i++) printf "set_real_ip_from "$i";\\n"}')" - -sed -i.bak -r 's#SET_REAL_IP_FROM#'"${SET_REAL_IP_FROM}"'#' /usr/local/openresty/nginx/conf/includes/proxy_backend.conf diff --git a/openresty/docker-entrypoint.d/93-update-proxy-ssl-config.sh b/openresty/docker-entrypoint.d/93-update-proxy-ssl-config.sh deleted file mode 100755 index 0d2c29ad..00000000 --- a/openresty/docker-entrypoint.d/93-update-proxy-ssl-config.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -PROXY_SSL_CONFIG="" -if [ "${PROXY_SSL}" = "on" ]; then - PROXY_SSL_CONFIG="include includes/proxy_backend_ssl.conf;" -fi - -sed -i.bak -r 's#PROXY_SSL_CONFIG#'"${PROXY_SSL_CONFIG}"'#' /usr/local/openresty/nginx/conf/conf.d/default.conf diff --git a/openresty/docker-entrypoint.sh b/openresty/docker-entrypoint.sh deleted file mode 100755 index cc1335de..00000000 --- a/openresty/docker-entrypoint.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh -# vim:sw=4:ts=4:et - -set -e - -entrypoint_log() { - if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then - echo "$@" - fi -} - -if [ "$1" = "/usr/local/openresty/bin/openresty" ]; then - if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then - entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" - - entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" - find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do - case "$f" in - *.envsh) - if [ -x "$f" ]; then - entrypoint_log "$0: Sourcing $f"; - . "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *.sh) - if [ -x "$f" ]; then - entrypoint_log "$0: Launching $f"; - "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *) entrypoint_log "$0: Ignoring $f";; - esac - done - - entrypoint_log "$0: Configuration complete; ready for start up" - else - entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" - fi -fi - -exec "$@" diff --git a/openresty/templates/includes/location_common.conf.template b/openresty/templates/includes/location_common.conf.template deleted file mode 100644 index db02c20a..00000000 --- a/openresty/templates/includes/location_common.conf.template +++ /dev/null @@ -1,19 +0,0 @@ - -location /healthz { - access_log off; - add_header Content-Type text/plain; - return 200 "OK"; -} - -location /metrics/nginx { - access_log off; - allow ${METRICS_ALLOW_FROM}; - deny ${METRICS_DENY_FROM}; - proxy_store off; - stub_status; -} - -error_page 500 502 503 504 /50x.html; -location = /50x.html { - root /usr/share/nginx/html; -} diff --git a/openresty/templates/nginx.conf.template b/openresty/templates/nginx.conf.template deleted file mode 100644 index 9031e654..00000000 --- a/openresty/templates/nginx.conf.template +++ /dev/null @@ -1,32 +0,0 @@ -# nginx.conf -- docker-openresty-modsecurity-crs - -# Enables the use of JIT for regular expressions to speed-up their processing. -pcre_jit on; - -load_module modules/ngx_http_modsecurity_module.so; - -worker_processes auto; -pid /var/run/nginx.pid; - -events { - worker_connections ${WORKER_CONNECTIONS}; -} - -http { - include /usr/local/openresty/nginx/conf/mime.types; - default_type application/octet-stream; - keepalive_timeout ${KEEPALIVE_TIMEOUT}; - sendfile on; - - # Openresty specific paths. - client_body_temp_path /var/run/openresty/nginx-client-body; - proxy_temp_path /var/run/openresty/nginx-proxy; - fastcgi_temp_path /var/run/openresty/nginx-fastcgi; - uwsgi_temp_path /var/run/openresty/nginx-uwsgi; - scgi_temp_path /var/run/openresty/nginx-scgi; - - resolver DNS_SERVER valid=5s; - # Load the specific files from /usr/local/openresty folder instead of /etc/nginx - # Simplifies the usage of envsubst. Otherwise we need to two template output folders. - include /usr/local/openresty/nginx/conf/conf.d/*.conf; -}