diff --git a/.github/workflows/buildimage.yml b/.github/workflows/buildimage.yml index 23fe49ac..d923539e 100644 --- a/.github/workflows/buildimage.yml +++ b/.github/workflows/buildimage.yml @@ -3,14 +3,16 @@ on: push: branches: - master +env: + DEFAULT_VERSION: 'v3.3.0' + DEFAULT_SERVER: 'apache' jobs: build: runs-on: ubuntu-latest strategy: matrix: - image: - - 3.3-apache - - 3.3-nginx + version: ['v3.3.0'] + server: ['apache', 'nginx'] steps: - uses: actions/checkout@v1 with: @@ -21,15 +23,14 @@ jobs: -u "${{ secrets.dockerhub_user }}" -p "${{ secrets.dockerhub_token }}" - - name: Build ${{ matrix.image }} - run: docker build . -f ${{ matrix.image }}/Dockerfile - --tag owasp/modsecurity-crs:${{ matrix.image }} - --tag owasp/modsecurity-crs:$(echo ${{ matrix.image }} | sed 's/.*-//') + - name: Build ${{ matrix.version }}-${{ matrix.server }} + run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} - - name: Set default tag for ${{ matrix.image }} - if: endsWith(matrix.image, '-apache') - run: docker tag owasp/modsecurity-crs:${{ matrix.image }} - owasp/modsecurity-crs:$(echo ${{ matrix.image }} | sed 's/-.*//') + # As we build multiple versions now, we need one to be the default + - name: Set default tag for ${{ matrix.version }}-${{ matrix.server }} + if: matrix.server == env.DEFAULT_SERVER && matrix.version == env.DEFAULT_VERSION + run: docker tag owasp/modsecurity-crs:${{ matrix.version }}-${{ matrix.server }} + owasp/modsecurity-crs:${{ matrix.server }} - - name: Push ${{ matrix.image }} + - name: Push ${{ matrix.version }}-${{ matrix.server }} run: docker push owasp/modsecurity-crs diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 6c20f727..c0a5df1d 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -7,21 +7,21 @@ jobs: build: runs-on: ubuntu-latest strategy: + # Remember to match these with the buildimage.yml action matrix: - image: - - 3.3-apache - - 3.3-nginx + version: ['v3.3.0'] + server: ['apache', 'nginx'] steps: - uses: actions/checkout@v1 with: fetch-depth: 1 - - name: Build ${{ matrix.image }} - run: docker build . -f ${{ matrix.image }}/Dockerfile --tag test + - name: Build ${{ matrix.version }}-${{ matrix.server }} + run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} TAG=test - - name: Run ${{ matrix.image }} - run: docker run -d --name ${{ matrix.image }} test + - name: Run ${{ matrix.version }}-${{ matrix.server }} + run: docker run -d --name ${{ matrix.version }}-${{ matrix.server }} test:${{ matrix.version }}-${{ matrix.server }} - - name: Verify ${{ matrix.image }} + - name: Verify ${{ matrix.version }}-${{ matrix.server }} run: | - [ $(docker inspect ${{ matrix.image }} --format='{{.State.Running}}') = 'true' ] + [ $(docker inspect ${{ matrix.version }}-${{ matrix.server }} --format='{{.State.Running}}') = 'true' ] diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..501a8be8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +v*-{apache,nginx}/ diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..753c29e9 --- /dev/null +++ b/Makefile @@ -0,0 +1,19 @@ +VERSIONS = v3.3.0 +SERVERS = apache nginx +TAG = owasp/modsecurity-crs + +TARGETS = $(foreach server,$(SERVERS),$(foreach version,$(VERSIONS),$(addsuffix -$(server),$(version)))) +IMAGES = $(addprefix image/, $(TARGETS)) + +.PHONY: clean + +all: $(TARGETS) $(IMAGES) + +v%: $(addsufix /Dockerfile, $(SERVERS)) + ./src/release.sh "v$*" + +image/%: $(TARGETS) + docker build --tag $(TAG):$* -f $*/Dockerfile . + +clean: + rm -rfv v* diff --git a/README.md b/README.md index d304e73f..b35ea1ba 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,17 @@ [![dockeri.co](http://dockeri.co/image/owasp/modsecurity-crs)](https://hub.docker.com/r/owasp/modsecurity-crs/) -[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2FCRS-support%2Fmodsecurity-crs-docker%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/CRS-support/modsecurity-crs-docker/goto?ref=master -) [![GitHub issues](https://img.shields.io/github/issues-raw/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/issues -) [![GitHub PRs](https://img.shields.io/github/issues-pr-raw/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/pulls -) [![License](https://img.shields.io/github/license/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/blob/master/LICENSE) +[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fcoreruleset%2Fmodsecurity-crs-docker%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/coreruleset/modsecurity-crs-docker/goto?ref=master +) [![GitHub issues](https://img.shields.io/github/issues-raw/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/issues +) [![GitHub PRs](https://img.shields.io/github/issues-pr-raw/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/pulls +) [![License](https://img.shields.io/github/license/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/LICENSE) ## What is the Core Rule Set The Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. -## Example +## Examples ``` docker build -t owasp/modsecurity-crs . @@ -26,6 +26,38 @@ docker build -t owasp/modsecurity-crs . docker run -p 80:80 -ti -e PARANOIA=4 -e PROXY=1 --rm owasp/modsecurity-crs ``` +## Building + +Image building requires `make`, or you can do the same by calling the `src/release.sh` helper with the version release you want and the web server, e.g: + +```bash +$ ./src/release.sh "v3.3.0-apache" +$ docker build --tag owasp/modsecurity-crs:v3.3.0-apache -f v3.3.0-apache/Dockerfile . +``` + +If you call `make` without arguments, will build all releases and web server combinations. + +Or use `make VERSIONS=v3.3.0-rc1` and it will get the proper release and build the container. + +You can also add your local tag, or override the build: + +```bash +make VERSIONS=v3.3.0 SERVERS=nginx TAG=mytag +``` + +## CRS Versions + +> Hey, I used some specific git version with the containers? What happened? + +You can achieve the same results just by getting any version you want, and using docker volumes. See this example: + +```bash +$ git clone https://github.com/coreruleset/coreruleset.git myrules +$ cd myrules +$ git checkout ac2a0d1 +$ docker run -p 80:80 -ti -e PARANOIA=4 -v ./rules:/opt/owasp-crs/rules:ro --rm owasp/modsecurity-crs +``` + ## Apache The Apache webserver is configured via the `httpd-modsecurity.conf` file overriding directives from the base file. diff --git a/3.3-apache/Dockerfile b/apache/Dockerfile similarity index 64% rename from 3.3-apache/Dockerfile rename to apache/Dockerfile index ebe8e3f3..a3c09216 100644 --- a/3.3-apache/Dockerfile +++ b/apache/Dockerfile @@ -2,9 +2,7 @@ FROM owasp/modsecurity:2 LABEL maintainer="Chaim Sanders " -ARG COMMIT=v3.3/dev -ARG BRANCH=v3.3/dev -ARG REPO=coreruleset/coreruleset +ARG RELEASE=%%RELEASE%% ENV PARANOIA=1 \ ANOMALY_INBOUND=5 \ @@ -28,23 +26,25 @@ ENV PARANOIA=1 \ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/ -COPY 3.3-apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ -COPY 3.3-apache/docker-entrypoint.sh / +COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ +COPY apache/docker-entrypoint.sh / +# Change default shell to bash +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# hadolint ignore=DL3008,SC2016 RUN apt-get update \ - && apt-get -y install \ + && apt-get -y install --no-install-recommends \ ca-certificates \ - git \ + curl \ iproute2 \ && mkdir /opt/owasp-crs \ - && cd /opt/owasp-crs \ - && git init \ - && git remote add origin https://github.com/${REPO} \ - && git fetch --depth 1 origin ${BRANCH} \ - && git checkout ${COMMIT} \ - && mv -v crs-setup.conf.example crs-setup.conf \ + && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \ + | tar -zxf - --strip-components=1 -C /opt/owasp-crs \ + && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \ && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \ - && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf + && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf \ + && rm -rf /var/lib/apt/lists/* ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/3.3-apache/conf/extra/httpd-logging-after-modsec.conf b/apache/conf/extra/httpd-logging-after-modsec.conf similarity index 100% rename from 3.3-apache/conf/extra/httpd-logging-after-modsec.conf rename to apache/conf/extra/httpd-logging-after-modsec.conf diff --git a/3.3-apache/conf/extra/httpd-logging-before-modsec.conf b/apache/conf/extra/httpd-logging-before-modsec.conf similarity index 100% rename from 3.3-apache/conf/extra/httpd-logging-before-modsec.conf rename to apache/conf/extra/httpd-logging-before-modsec.conf diff --git a/3.3-apache/conf/extra/httpd-modsecurity.conf b/apache/conf/extra/httpd-modsecurity.conf similarity index 100% rename from 3.3-apache/conf/extra/httpd-modsecurity.conf rename to apache/conf/extra/httpd-modsecurity.conf diff --git a/3.3-apache/docker-entrypoint.sh b/apache/docker-entrypoint.sh similarity index 100% rename from 3.3-apache/docker-entrypoint.sh rename to apache/docker-entrypoint.sh diff --git a/3.3-nginx/Dockerfile b/nginx/Dockerfile similarity index 61% rename from 3.3-nginx/Dockerfile rename to nginx/Dockerfile index 4aefe9ae..35417999 100644 --- a/3.3-nginx/Dockerfile +++ b/nginx/Dockerfile @@ -2,9 +2,7 @@ FROM owasp/modsecurity:3 LABEL maintainer="Chaim Sanders " -ARG COMMIT=v3.3/dev -ARG BRANCH=v3.3/dev -ARG REPO=coreruleset/coreruleset +ARG RELEASE=%%RELEASE%% ENV PARANOIA=1 \ ANOMALY_INBOUND=5 \ @@ -25,25 +23,26 @@ ENV PARANOIA=1 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 -COPY 3.3-nginx/docker-entrypoint.sh / -COPY 3.3-nginx/nginx.conf /etc/nginx/nginx.conf COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ +COPY nginx/docker-entrypoint.sh / +COPY nginx/nginx.conf /etc/nginx/nginx.conf +# Change default shell to bash +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# hadolint ignore=DL3008,SC2016 RUN apt-get update \ - && apt-get -y install \ + && apt-get -y install --no-install-recommends \ ca-certificates \ - git \ + curl \ iproute2 \ - moreutils \ && mkdir /opt/owasp-crs \ - && cd /opt/owasp-crs \ - && git init \ - && git remote add origin https://github.com/${REPO} \ - && git fetch --depth 1 origin ${BRANCH} \ - && git checkout ${COMMIT} \ - && mv -v crs-setup.conf.example crs-setup.conf \ - && ln -sv /opt/owasp-crs /etc/modsecurity.d/ + && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \ + | tar -zxf - --strip-components=1 -C /opt/owasp-crs \ + && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \ + && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \ + && rm -rf /var/lib/apt/lists/* ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["nginx", "-g", "daemon off;"] diff --git a/3.3-nginx/docker-entrypoint.sh b/nginx/docker-entrypoint.sh similarity index 100% rename from 3.3-nginx/docker-entrypoint.sh rename to nginx/docker-entrypoint.sh diff --git a/3.3-nginx/nginx.conf b/nginx/nginx.conf similarity index 100% rename from 3.3-nginx/nginx.conf rename to nginx/nginx.conf diff --git a/src/release.sh b/src/release.sh new file mode 100755 index 00000000..077ca8a4 --- /dev/null +++ b/src/release.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# Release will use master branch as stable + +set -e + +target="$1" + +if [ -z "$target" ]; then + echo "usage: $0 vX.Y-(apache|nginx)" >&2 + exit 1 +fi + +# relases might be release candidates, which are named with '-rcX' +release="${target%-*}" +server="${target#*-}" +server_no_rc="${server#*-}" + +cd "$(dirname "$0")/.." +mkdir -p "${target}" + + +sed -e "s,%%RELEASE%%,${release},g" \ + "${server_no_rc}/Dockerfile" > "${target}/Dockerfile" +