-
Notifications
You must be signed in to change notification settings - Fork 80
/
Copy pathDockerfile
55 lines (48 loc) · 2.12 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
FROM owasp/modsecurity:nginx as release
ARG RELEASE
# hadolint ignore=DL3008,SC2016
RUN set -eux; \
apt-get update; \
apt-get -y install --no-install-recommends \
ca-certificates \
curl \
gnupg; \
mkdir /opt/owasp-crs; \
curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz -o v${RELEASE}.tar.gz; \
curl -SL https://github.com/coreruleset/coreruleset/releases/download/v${RELEASE}/coreruleset-${RELEASE}.tar.gz.asc -o coreruleset-${RELEASE}.tar.gz.asc; \
gpg --fetch-key https://coreruleset.org/security.asc; \
gpg --verify coreruleset-${RELEASE}.tar.gz.asc v${RELEASE}.tar.gz; \
tar -zxf v${RELEASE}.tar.gz --strip-components=1 -C /opt/owasp-crs; \
rm -f v${RELEASE}.tar.gz coreruleset-${RELEASE}.tar.gz.asc; \
mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
FROM owasp/modsecurity:nginx
LABEL maintainer="Felipe Zipitria <[email protected]>"
ENV PARANOIA=1 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
BLOCKING_PARANOIA=1 \
NGINX_KEEPALIVE_TIMEOUT=60s \
ERRORLOG=/var/log/nginx/error.log \
LOGLEVEL=warn \
USER=nginx \
PORT=80 \
SERVERNAME=locahost \
WORKER_CONNECTIONS=1024 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_RULE_ENGINE=on \
MODSEC_REQ_BODY_ACCESS=on \
MODSEC_REQ_BODY_LIMIT=13107200 \
MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
MODSEC_RESP_BODY_ACCESS=on \
MODSEC_RESP_BODY_LIMIT=1048576 \
MODSEC_PCRE_MATCH_LIMIT=100000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000
# We use the templating mechanism from the nginx image here,
# as set up by owasp/modsecurity-docker
COPY nginx/templates /etc/nginx/templates/
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY --from=release /opt/owasp-crs /opt/owasp-crs
RUN set -eux; ln -sv /opt/owasp-crs /etc/modsecurity.d/