Update project structure

.github/workflows/dockerimage.yml

@@ -22,7 +22,7 @@ jobs:
            -p "${{ secrets.dockerhub_token }}"
 
     - name: Build ${{ matrix.image }}
-      run: docker build src -f ${{ matrix.image }}/Dockerfile
+      run: docker build . -f ${{ matrix.image }}/Dockerfile
            --tag owasp/modsecurity-crs:${{ matrix.image }}
            --tag owasp/modsecurity-crs:$(echo ${{ matrix.image }} | sed 's/.*-//')
 

3.3-apache/Dockerfile

@@ -6,11 +6,10 @@ ARG COMMIT=v3.3/dev
 ARG BRANCH=v3.3/dev
 ARG REPO=SpiderLabs/owasp-modsecurity-crs
 
-ENV WEBSERVER=Apache \
-    PARANOIA=1 \
+ENV PARANOIA=1 \
     ANOMALY_INBOUND=5 \
     ANOMALY_OUTBOUND=4 \
-    TIMEOUT=60 \
+    APACHE_TIMEOUT=60 \
     LOGLEVEL=warn \
     ERRORLOG='/proc/self/fd/2' \
     USER=daemon \
@@ -23,9 +22,14 @@ ENV WEBSERVER=Apache \
     MODSEC_REQ_BODY_LIMIT=13107200 \
     MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
     MODSEC_RESP_BODY_ACCESS=on \
-    MODSEC_RESP_BODY_LIMIT=524288 \
-    MODSEC_PCRE_MATCH_LIMIT=1000 \
-    MODSEC_PCRE_MATCH_LIMIT_RECURSION=1000
+    MODSEC_RESP_BODY_LIMIT=1048576 \
+    MODSEC_PCRE_MATCH_LIMIT=100000 \
+    MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000
+
+COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
+COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
+COPY 3.3-apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
+COPY 3.3-apache/docker-entrypoint.sh /
 
 RUN apt-get update \
  && apt-get -y install \
@@ -40,17 +44,7 @@ RUN apt-get update \
  && git checkout ${COMMIT} \
  && mv -v crs-setup.conf.example crs-setup.conf \
  && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \
- && echo 'Include /etc/modsecurity.d/owasp-crs/crs-setup.conf' > /etc/modsecurity.d/include.conf \
- && echo 'Include /etc/modsecurity.d/owasp-crs/rules/*.conf'  >> /etc/modsecurity.d/include.conf \
- && sed -i /etc/modsecurity.d/modsecurity.conf \
-      -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g'
-
-COPY httpd-*.conf /usr/local/apache2/conf/extra/
-COPY modsecurity.conf /etc/modsecurity.d/
-COPY docker-entrypoint.sh /
-
-EXPOSE ${PORT}
-EXPOSE 443
+ && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["apachectl", "-D", "FOREGROUND"]

3.3-apache/conf/extra/httpd-modsecurity.conf

@@ -0,0 +1,17 @@
+Timeout ${APACHE_TIMEOUT}
+LogLevel ${LOGLEVEL}
+ErrorLog ${ERRORLOG}
+ServerAdmin ${SERVERADMIN}
+
+<IfModule unixd_module>
+  User ${USER}
+  Group ${GROUP}
+</IfModule>
+
+<IfModule reqtimeout_module>
+  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
+</IfModule>
+
+LoadModule security2_module /usr/local/apache2/modules/mod_security2.so
+
+Include /etc/modsecurity.d/setup.conf

3.3-apache/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+source /opt/modsecurity/activate-rules.sh
+
+exec "$@"

3.3-nginx/Dockerfile

@@ -5,7 +5,6 @@ LABEL maintainer="Chaim Sanders <[email protected]>"
 ARG COMMIT=v3.3/dev
 ARG BRANCH=v3.3/dev
 ARG REPO=SpiderLabs/owasp-modsecurity-crs
-ENV WEBSERVER=Nginx
 ENV PARANOIA=1
 ENV ANOMALY_INBOUND=5
 ENV ANOMALY_OUTBOUND=4
@@ -28,7 +27,8 @@ RUN apt-get update \
  && sed -i /etc/modsecurity.d/modsecurity.conf \
       -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g'
 
-COPY docker-entrypoint.sh /
+COPY 3.3-nginx/docker-entrypoint.sh /
+COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
 
 EXPOSE 80
 

3.3-nginx/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+source /opt/modsecurity/activate-rules.sh
+
+exec "$@"

README.md

@@ -25,6 +25,10 @@ or
 docker build -t owasp/modsecurity-crs .
 docker run -p 80:80 -ti -e PARANOIA=4 -e PROXY=1 --rm owasp/modsecurity-crs
 ```
+
+## Apache
+The Apache webserver is configured via the `httpd-modsecurity.conf` file overriding directives from the base file.
+
 ## Environment Variables
 
 The following environment variables are available to configure the CRS container:
@@ -51,7 +55,7 @@ The following environment variables are available to configure the CRS container
 | TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: unlimited) |
 | MAX_FILE_SIZE | An integer indicating the max_file_size (Default: unlimited) |
 | COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: unlimited) |
-| TIMEOUT | Apache integer value indicating the number of seconds before receiving and sending time out (Default: 60) |
+| APACHE_TIMEOUT | Apache integer value indicating the number of seconds before receiving and sending time out (Default: 60) |
 | LOGLEVEL | Apache string value controlling the number of messages logged to the error_log, Apache (Default: warn) |
 | ERRORLOG | Apache string value indicating the location of the error log file (Default: '/proc/self/fd/2') |
 | PORT | Apache integer value indicating the port where Apache is listening to (Default: 80) |
@@ -131,7 +135,7 @@ docker run -dti 80:80 --rm \
    -e MAX_FILE_SIZE=100000 \
    -e COMBINED_FILE_SIZES=1000000 \
    -e PROXY=1 \
-   -e TIMEOUT=60 \
+   -e APACHE_TIMEOUT=60 \
    -e LOGLEVEL=warn \
    -e ERRORLOG='/proc/self/fd/2' \
    -e USER=daemon \

src/etc/modsecurity.d/modsecurity-override.conf

@@ -0,0 +1,32 @@
+# Original of the latest recommended version:
+# https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended
+
+SecRuleEngine ${MODSEC_RULE_ENGINE}
+SecRequestBodyAccess ${MODSEC_REQ_BODY_ACCESS}
+
+SecRequestBodyLimit ${MODSEC_REQ_BODY_LIMIT}
+SecRequestBodyNoFilesLimit ${MODSEC_REQ_BODY_NOFILES_LIMIT}
+SecRequestBodyInMemoryLimit 131072
+SecRequestBodyLimitAction Reject
+
+SecPcreMatchLimit ${MODSEC_PCRE_MATCH_LIMIT}
+SecPcreMatchLimitRecursion ${MODSEC_PCRE_MATCH_LIMIT_RECURSION}
+
+SecResponseBodyAccess ${MODSEC_RESP_BODY_ACCESS}
+SecResponseBodyMimeType text/plain text/html text/xml
+SecResponseBodyLimit ${MODSEC_RESP_BODY_LIMIT}
+SecResponseBodyLimitAction ProcessPartial
+
+SecTmpDir /tmp/
+SecDataDir /tmp/
+
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditLogParts ABIJDEFHZ
+SecAuditLogType Serial
+SecAuditLog /var/log/modsec_audit.log
+
+SecArgumentSeparator &
+SecCookieFormat 0
+SecUnicodeMapFile unicode.mapping 20127
+SecStatusEngine On

src/etc/modsecurity.d/setup.conf

@@ -0,0 +1,8 @@
+# Allow custom rules to be specified in:
+# /opt/modsecurity/rules/{before,after}-crs/*.conf
+
+Include /etc/modsecurity.d/modsecurity.conf
+Include /etc/modsecurity.d/modsecurity-override.conf
+
+Include /etc/modsecurity.d/owasp-crs/crs-setup.conf
+Include /etc/modsecurity.d/owasp-crs/rules/*.conf

src/docker-entrypoint.sh → src/opt/modsecurity/activate-rules.sh

@@ -1,6 +1,4 @@
-#!/bin/bash
-
-set -e
+#!/bin/bash -e
 
 # Paranoia Level
 sed -z -E -i 's/#SecAction.{7}id:900000.*tx\.paranoia_level=1\"/SecAction \\\n  \"id:900000, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:tx.paranoia_level='"$PARANOIA"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf 
@@ -81,19 +79,4 @@ fi
 # Block request if the total size of all combined uploaded files is too high
 if [ -n "$COMBINED_FILE_SIZES" ]; then
   sed -z -E -i 's/#SecAction.{6}id:900350.*tx\.combined_file_sizes=1048576\"/SecAction \\\n  \"id:900350, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:tx.combined_file_sizes='"$COMBINED_FILE_SIZES"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf
-fi 
-
-if [ "$WEBSERVER" = "Apache" ]; then
-  if [ "$PROXY" = "1" ]; then
-    WEBSERVER_ARGUMENTS='-D crs_proxy'
-    if [ -z "$UPSTREAM" ]; then
-      UPSTREAM="$(/sbin/ip route | grep ^default | perl -pe 's/^.*?via ([\d.]+).*/$1/g'):81"
-      export UPSTREAM
-    fi
-  fi
-elif [ "$WEBSERVER" = "Nginx" ]; then
-  WEBSERVER_ARGUMENTS=''
 fi
-
-
-exec "$@" $WEBSERVER_ARGUMENTS