diff --git a/.github/workflows/buildimage.yml b/.github/workflows/buildimage.yml index d88c1f2e..46b4ab65 100644 --- a/.github/workflows/buildimage.yml +++ b/.github/workflows/buildimage.yml @@ -2,34 +2,48 @@ name: Build images for Docker Hub on: push: branches: - - master + - master schedule: - - cron: '0 12 * * MON' # Run every Monday + - cron: "0 12 * * TUE" # Run every Tuesday (base run on Monday) + jobs: build: runs-on: ubuntu-latest strategy: matrix: - version: ['v3.3.2'] - server: ['apache', 'nginx'] + crs-version: + - "3.3.2" + image: + - apache + - nginx + variant: + - "" + - "-alpine" steps: - - uses: actions/checkout@v1 - with: - fetch-depth: 1 - - - name: Log in to Docker Hub - run: docker login - -u "${{ secrets.dockerhub_user }}" - -p "${{ secrets.dockerhub_token }}" + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 1 - - name: Build ${{ matrix.version }}-${{ matrix.server }} - run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} + # https://github.com/docker/setup-qemu-action + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 - # As we build multiple versions now, we need one to be the default - - name: Set default tag for ${{ matrix.version }}-${{ matrix.server }} - run: docker tag owasp/modsecurity-crs:${{ matrix.version }}-${{ matrix.server }} - owasp/modsecurity-crs:${{ matrix.server }} + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + driver-opts: image=moby/buildkit:master - - name: Push ${{ matrix.version }}-${{ matrix.server }} - run: docker push --all-tags owasp/modsecurity-crs + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + - name: Build and push ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }} + uses: docker/bake-action@v1.5.0 + with: + targets: ${{ matrix.image }}${{ matrix.variant }} + files: docker-bake.hcl + push: true diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 3d2c4c65..9f448372 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -1,30 +1,56 @@ +--- name: Verify Images on: pull_request: branches: - - master + - master jobs: build: runs-on: ubuntu-latest strategy: - # Remember to match these with the buildimage.yml action matrix: - version: ['v3.3.2'] - server: ['apache', 'nginx'] + crs-version: + - "3.3.2" + image: + - apache + - nginx + variant: + - "" + - "-alpine" + platform: + - linux/amd64 steps: - - uses: actions/checkout@v1 - with: - fetch-depth: 1 + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 1 - - name: Build ${{ matrix.version }}-${{ matrix.server }} - run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} TAG=test + # https://github.com/docker/setup-qemu-action + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 - - name: Run ${{ matrix.version }}-${{ matrix.server }} - run: | - docker run -d --name ${{ matrix.version }}-${{ matrix.server }} test:${{ matrix.version }}-${{ matrix.server }} - docker logs --details ${{ matrix.version }}-${{ matrix.server }} + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + driver-opts: image=moby/buildkit:master - - name: Verify ${{ matrix.version }}-${{ matrix.server }} - run: | - docker inspect ${{ matrix.version }}-${{ matrix.server }} - [ $(docker inspect ${{ matrix.version }}-${{ matrix.server }} --format='{{.State.Running}}') = 'true' ] + - name: Build ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }} + uses: docker/bake-action@v1.5.0 + with: + files: docker-bake.hcl + targets: ${{ matrix.image }}${{ matrix.variant }} + set: | + "${{ matrix.image }}${{ matrix.variant }}.tags=${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test" + "${{ matrix.image }}${{ matrix.variant }}.platform=${{ matrix.platform }}" + load: true + push: false + + - name: Run ${{ matrix.image }}${{ matrix.variant }} + run: | + docker run -d --name ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test + docker logs ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test + + - name: Verify ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }} + run: | + [ $(docker inspect ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test --format='{{.State.Running}}') = 'true' ] diff --git a/Makefile b/Makefile deleted file mode 100644 index cce428b0..00000000 --- a/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -VERSIONS = v3.3.2 -SERVERS = apache nginx -TAG = owasp/modsecurity-crs - -TARGETS = $(foreach server,$(SERVERS),$(foreach version,$(VERSIONS),$(addsuffix -$(server),$(version)))) -IMAGES = $(addprefix image/, $(TARGETS)) - -.PHONY: clean - -all: $(TARGETS) $(IMAGES) - -v%: $(addsuffix /Dockerfile, $(SERVERS)) - ./src/release.sh "v$*" - -image/%: $(TARGETS) - docker build --tag $(TAG):$* -f $*/Dockerfile . - -clean: - rm -rfv v* diff --git a/README.md b/README.md index fe6bf126..62db87d4 100644 --- a/README.md +++ b/README.md @@ -14,26 +14,25 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng ## Supported tags and respective `Dockerfile` links -* `3.3.2-nginx`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.20 official stable base image, and latest stable Core Rule Set 3.3.2 * -* `3.3.2-apache`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) – *last stable ModSecurity v2 on Apache 2.4 official stable base image, and latest stable Core Rule Set 3.3.2 * +* `3-nginx`, `3.3-nginx`, `3.3.2-nginx`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.20 official stable base image, and latest stable Core Rule Set 3.3.2 * +* `3-apache`, `3.3-apache`, `3.3.2-apache`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4 official stable base image, and latest stable Core Rule Set 3.3.2 * -## Building +## Supported variants -Image building requires `make`, or you can do the same by calling the `src/release.sh` helper with the version release you want and the web server, e.g: +We have support for [alpine linux](https://www.alpinelinux.org/) variants of the base images. Just add `-alpine` and you will get it. Examples: -```bash -$ ./src/release.sh "v3.3.2-apache" -$ docker build --tag owasp/modsecurity-crs:v3.3.2-apache -f v3.3.2-apache/Dockerfile . -``` +* `3-nginx-alpine`, `3.3-nginx-alpine`, `3.3.2-nginx-alpine`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.20 official alpine stable base image, and latest stable Core Rule Set 3.3.2 * +* `3-apache-alpine`, `3.3-apache-alpine`, `3.3.2-apache-alpine`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4 official alpine stable base image, and latest stable Core Rule Set 3.3.2 * -If you call `make` without arguments, will build all releases and web server combinations. +## Supported architectures -Or use `make VERSIONS=v3.3.3-rc1` and it will get the proper release and build the container. +We added the [docker buildx](https://github.com/docker/buildx) support to our docker builds so additional architectures are supported now. As we create our containers based on the official apache and nginx ones, we can only support the architectures they support. -You can also add your local tag, or override the build: +There is a new file `docker-bake.hcl` used for this purpose. To build for new platforms, just use this example: ```bash -make VERSIONS=v3.3.2 SERVERS=nginx TAG=mytag +$ docker buildx use $(docker buildx create --platform linux/amd64,linux/arm64,linux/arm/v8) +$ docker buildx bake -f docker-bake.hcl ``` ## CRS Versions @@ -50,6 +49,7 @@ $ docker run -p 80:80 -ti -e PARANOIA=4 -v ./rules:/opt/owasp-crs/rules:ro --rm ``` ## Apache + The Apache webserver is configured via the `httpd-modsecurity.conf` file overriding directives from the base file. ## Environment Variables @@ -120,7 +120,7 @@ docker run -dti --rm \ -p 80:80 \ -v /path/to/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \ -v /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ - owasp/modsecurity-crs + owasp/modsecurity-crs:apache ``` ### Copy ModSecurity tuning file into created container @@ -130,7 +130,7 @@ This example can be helpful when no volume mounts are possible (some CI pipeline ``` docker create -ti --name modseccrs \ -p 80:80 \ - owasp/modsecurity-crs + owasp/modsecurity-crs:apache docker cp /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ modseccrs:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf @@ -178,5 +178,5 @@ docker run -dti 80:80 --rm \ -e MODSEC_PCRE_MATCH_LIMIT=1000 \ -e MODSEC_PCRE_MATCH_LIMIT_RECURSION=1000 \ -e VALIDATE_UTF8_ENCODING=1 - owasp/modsecurity-crs + owasp/modsecurity-crs:apache ``` diff --git a/apache/Dockerfile b/apache/Dockerfile index 3be15f53..75036817 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -1,8 +1,8 @@ -FROM owasp/modsecurity:2 +FROM owasp/modsecurity:apache -LABEL maintainer="Chaim Sanders " +LABEL maintainer="Felipe Zipitria " -ARG RELEASE=%%RELEASE%% +ARG RELEASE ENV PARANOIA=1 \ ANOMALY_INBOUND=5 \ @@ -31,22 +31,20 @@ COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/ COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ COPY apache/docker-entrypoint.sh / -# Change default shell to bash -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # hadolint ignore=DL3008,SC2016 -RUN apt-get update \ - && apt-get -y install --no-install-recommends \ - ca-certificates \ - curl \ - iproute2 \ - && mkdir /opt/owasp-crs \ - && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \ - | tar -zxf - --strip-components=1 -C /opt/owasp-crs \ - && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \ - && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \ - && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf \ - && rm -rf /var/lib/apt/lists/* +RUN set -eux; \ + apt-get update; \ + apt-get -y install --no-install-recommends \ + ca-certificates \ + curl \ + iproute2; \ + mkdir /opt/owasp-crs; \ + curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz | \ + tar -zxf - --strip-components=1 -C /opt/owasp-crs; \ + mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf; \ + ln -sv /opt/owasp-crs /etc/modsecurity.d/; \ + sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf; \ + rm -rf /var/lib/apt/lists/* ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine new file mode 100644 index 00000000..309d15cb --- /dev/null +++ b/apache/Dockerfile-alpine @@ -0,0 +1,46 @@ +FROM owasp/modsecurity:apache-alpine + +LABEL maintainer="Felipe Zipitria " + +ARG RELEASE + +ENV PARANOIA=1 \ + ANOMALY_INBOUND=5 \ + ANOMALY_OUTBOUND=4 \ + APACHE_TIMEOUT=60 \ + LOGLEVEL=warn \ + ERRORLOG='/proc/self/fd/2' \ + USER=daemon \ + GROUP=daemon \ + SERVERADMIN=root@localhost \ + SERVERNAME=localhost \ + PORT=80 \ + MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_RULE_ENGINE=on \ + MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_LIMIT=13107200 \ + MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ + MODSEC_RESP_BODY_ACCESS=on \ + MODSEC_RESP_BODY_LIMIT=1048576 \ + MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 + +COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ +COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/ +COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ +COPY apache/docker-entrypoint.sh / + +# hadolint ignore=DL3008,SC2016 +RUN set -eux; \ + apk add --no-cache \ + ca-certificates \ + curl \ + iproute2; \ + mkdir /opt/owasp-crs; \ + curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz \ + | tar -zxf - --strip-components=1 -C /opt/owasp-crs; \ + mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf; \ + ln -sv /opt/owasp-crs /etc/modsecurity.d/; \ + sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf + diff --git a/docker-bake.hcl b/docker-bake.hcl new file mode 100644 index 00000000..d6145564 --- /dev/null +++ b/docker-bake.hcl @@ -0,0 +1,88 @@ +# docker-bake.hcl +variable "crs-version" { + default = "3.3.2" +} + +function "major" { + params = [version] + result = split(".", version)[0] +} + +function "minor" { + params = [version] + result = join(".", slice(split(".", version),0,2)) +} +# result = split(version, ".")[0] + "." + split(version, ".")[1] "." + split(version, ".")[2] +function "patch" { + params = [version] + result = join(".", slice(split(".", version),0,3)) +} + +group "default" { + targets = [ + "apache", + "apache-alpine", + "nginx", + "nginx-alpine" + ] +} + +target "apache" { + context="." + dockerfile="apache/Dockerfile" + tags = [ + "owasp/modsecurity-crs:apache", + "owasp/modsecurity-crs:${major(crs-version)}-apache", + "owasp/modsecurity-crs:${minor(crs-version)}-apache", + "owasp/modsecurity-crs:${patch(crs-version)}-apache" + ] + platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"] + args = { + RELEASE = "${crs-version}" + } +} + +target "apache-alpine" { + context="." + dockerfile="apache/Dockerfile-alpine" + tags = [ + "owasp/modsecurity-crs:apache-alpine", + "owasp/modsecurity-crs:${major(crs-version)}-apache-alpine", + "owasp/modsecurity-crs:${minor(crs-version)}-apache-alpine", + "owasp/modsecurity-crs:${patch(crs-version)}-apache-alpine" + ] + platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"] + args = { + RELEASE = "${crs-version}" + } +} + +target "nginx" { + context="." + dockerfile="nginx/Dockerfile" + tags = [ + "owasp/modsecurity-crs:nginx", + "owasp/modsecurity-crs:${major(crs-version)}-nginx", + "owasp/modsecurity-crs:${minor(crs-version)}-nginx", + "owasp/modsecurity-crs:${patch(crs-version)}-nginx" + ] + platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"] + args = { + RELEASE = "${crs-version}" + } +} + +target "nginx-alpine" { + context="." + dockerfile="nginx/Dockerfile-alpine" + tags = [ + "owasp/modsecurity-crs:nginx-alpine", + "owasp/modsecurity-crs:${major(crs-version)}-nginx-alpine", + "owasp/modsecurity-crs:${minor(crs-version)}-nginx-alpine", + "owasp/modsecurity-crs:${patch(crs-version)}-nginx-alpine" + ] + platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"] + args = { + RELEASE = "${crs-version}" + } +} diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 77fbe2cc..3338f2b3 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,8 +1,8 @@ -FROM owasp/modsecurity:3 +FROM owasp/modsecurity:nginx -LABEL maintainer="Chaim Sanders " +LABEL maintainer="Felipe Zipitria " -ARG RELEASE=%%RELEASE%% +ARG RELEASE ENV PARANOIA=1 \ ANOMALY_INBOUND=5 \ @@ -40,7 +40,7 @@ RUN apt-get update \ curl \ iproute2 \ && mkdir /opt/owasp-crs \ - && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \ + && curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz \ | tar -zxf - --strip-components=1 -C /opt/owasp-crs \ && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \ && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine new file mode 100644 index 00000000..50eae986 --- /dev/null +++ b/nginx/Dockerfile-alpine @@ -0,0 +1,46 @@ +FROM owasp/modsecurity:nginx-alpine + +LABEL maintainer="Felipe Zipitria " + +ARG RELEASE + +ENV PARANOIA=1 \ + ANOMALY_INBOUND=5 \ + ANOMALY_OUTBOUND=4 \ + NGINX_KEEPALIVE_TIMEOUT=60s \ + ERRORLOG=/var/log/nginx/error.log \ + LOGLEVEL=warn \ + USER=nginx \ + PORT=80 \ + SERVERNAME=locahost \ + WORKER_CONNECTIONS=1024 \ + MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ + MODSEC_RULE_ENGINE=on \ + MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_LIMIT=13107200 \ + MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ + MODSEC_RESP_BODY_ACCESS=on \ + MODSEC_RESP_BODY_LIMIT=1048576 \ + MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 + +COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/ +COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ +COPY nginx/docker-entrypoint.sh / +COPY nginx/nginx.conf /etc/nginx/nginx.conf + +# hadolint ignore=DL3008,SC2016 +RUN set -eux; \ + apk add --no-cache \ + ca-certificates \ + curl \ + sed; \ + mkdir /opt/owasp-crs; \ + curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz \ + | tar -zxf - --strip-components=1 -C /opt/owasp-crs; \ + mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf; \ + ln -sv /opt/owasp-crs /etc/modsecurity.d/ + +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["nginx", "-g", "daemon off;"] diff --git a/nginx/docker-entrypoint.sh b/nginx/docker-entrypoint.sh index 4f5905f2..707d3133 100755 --- a/nginx/docker-entrypoint.sh +++ b/nginx/docker-entrypoint.sh @@ -1,14 +1,17 @@ -#!/bin/bash -e +#!/bin/sh -e -export DNS_SERVER=${DNS_SERVER:-$(cat /etc/resolv.conf |grep -i '^nameserver'|head -n1|cut -d ' ' -f2)} +export DNS_SERVER=${DNS_SERVER:-$(grep -i '^nameserver' /etc/resolv.conf|head -n1|cut -d ' ' -f2)} ENV_VARIABLES=$(awk 'BEGIN{for(v in ENVIRON) print "$"v}') -for FILE in etc/nginx/nginx.conf etc/nginx/conf.d/default.conf etc/nginx/conf.d/logging.conf etc/modsecurity.d/modsecurity-override.conf -do - envsubst "$ENV_VARIABLES" <$FILE | sponge $FILE +FILES="/etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/logging.conf /etc/modsecurity.d/modsecurity-override.conf" + +for FILE in $FILES; do + if [ -f "$FILE" ]; then + envsubst "$ENV_VARIABLES" <"$FILE" | sponge "$FILE" + fi done -source /opt/modsecurity/activate-rules.sh +. /opt/modsecurity/activate-rules.sh exec "$@" diff --git a/src/opt/modsecurity/activate-rules.sh b/src/opt/modsecurity/activate-rules.sh index be45a8c7..773e901d 100755 --- a/src/opt/modsecurity/activate-rules.sh +++ b/src/opt/modsecurity/activate-rules.sh @@ -1,80 +1,80 @@ -#!/bin/bash -e +#!/bin/sh -e # Paranoia Level -sed -z -E -i 's/#SecAction.{7}id:900000.*tx\.paranoia_level=1\"/SecAction \\\n \"id:900000, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.paranoia_level='"$PARANOIA"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf +sed -z -E -i 's/#SecAction.{7}id:900000.*tx\.paranoia_level=1\"/SecAction \\\n \"id:900000, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.paranoia_level='"$PARANOIA"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf # Executing Paranoia Level if [ -n "$EXECUTING_PARANOIA" ]; then sed -z -E -i 's/#SecAction.{7}id:900001.*tx\.executing_paranoia_level=1\"/SecAction \\\n \"id:900001, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.executing_paranoia_level='"$EXECUTING_PARANOIA"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Enforce Body Processor URLENCODED if [ -n "$ENFORCE_BODYPROC_URLENCODED" ]; then sed -z -E -i 's/#SecAction.{7}id:900010.*tx\.enforce_bodyproc_urlencoded=1\"/SecAction \\\n \"id:900010, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.enforce_bodyproc_urlencoded='"$ENFORCE_BODYPROC_URLENCODED"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Inbound and Outbound Anomaly Score -sed -z -E -i 's/#SecAction.{6}id:900110.*tx\.outbound_anomaly_score_threshold=4\"/SecAction \\\n \"id:900110, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.inbound_anomaly_score_threshold='"$ANOMALY_INBOUND"', \\\n setvar:tx.outbound_anomaly_score_threshold='"$ANOMALY_OUTBOUND"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf +sed -z -E -i 's/#SecAction.{6}id:900110.*tx\.outbound_anomaly_score_threshold=4\"/SecAction \\\n \"id:900110, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.inbound_anomaly_score_threshold='"$ANOMALY_INBOUND"', \\\n setvar:tx.outbound_anomaly_score_threshold='"$ANOMALY_OUTBOUND"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf # HTTP methods that a client is allowed to use. if [ -n "$ALLOWED_METHODS" ]; then sed -z -E -i 's/#SecAction.{6}id:900200.*\x27tx\.allowed_methods=[[:upper:][:space:]]*\x27\"/SecAction \\\n \"id:900200, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_methods='"$ALLOWED_METHODS"'\x27\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Content-Types that a client is allowed to send in a request. if [ -n "$ALLOWED_REQUEST_CONTENT_TYPE" ]; then sed -z -E -i 's;#SecAction.{6}id:900220.*\x27tx\.allowed_request_content_type=[[:lower:]|+/-]*\x27\";SecAction \\\n \"id:900220, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_request_content_type='"$ALLOWED_REQUEST_CONTENT_TYPE"'\x27\";' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Content-Types charsets that a client is allowed to send in a request. if [ -n "$ALLOWED_REQUEST_CONTENT_TYPE_CHARSET" ]; then sed -z -E -i 's/#SecAction.{6}id:900270.*\x27tx\.allowed_request_content_type_charset=[[:lower:][:digit:]|-]*\x27\"/SecAction \\\n \"id:900270, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_request_content_type_charset='"$ALLOWED_REQUEST_CONTENT_TYPE_CHARSET"'\x27\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Allowed HTTP versions. if [ -n "$ALLOWED_HTTP_VERSIONS" ]; then sed -z -E -i 's|#SecAction.{6}id:900230.*\x27tx\.allowed_http_versions=[HTP012[:space:]/.]*\x27\"|SecAction \\\n \"id:900230, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_http_versions='"$ALLOWED_HTTP_VERSIONS"'\x27\"|' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Forbidden file extensions. if [ -n "$RESTRICTED_EXTENSIONS" ]; then sed -z -E -i 's|#SecAction.{6}id:900240.*\x27tx\.restricted_extensions=[[:lower:][:space:]./]*\/\x27\"|SecAction \\\n \"id:900240, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_extensions='"$RESTRICTED_EXTENSIONS"'\x27\"|' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Forbidden request headers. if [ -n "$RESTRICTED_HEADERS" ]; then sed -z -E -i 's|#SecAction.{6}id:900250.*\x27tx\.restricted_headers=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900250, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers='"$RESTRICTED_HEADERS"'\x27\"|' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # File extensions considered static files. if [ -n "$STATIC_EXTENSIONS" ]; then sed -z -E -i 's|#SecAction.{6}id:900260.*\x27tx\.static_extensions=/[[:lower:][:space:]/.]*\x27\"|SecAction \\\n \"id:900260, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.static_extensions='"$STATIC_EXTENSIONS"'\x27\"|' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if number of arguments is too high if [ -n "$MAX_NUM_ARGS" ]; then sed -z -E -i 's/#SecAction.{6}id:900300.*tx\.max_num_args=255\"/SecAction \\\n \"id:900300, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.max_num_args='"$MAX_NUM_ARGS"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if the length of any argument name is too high if [ -n "$ARG_NAME_LENGTH" ]; then sed -z -E -i 's/#SecAction.{6}id:900310.*tx\.arg_name_length=100\"/SecAction \\\n \"id:900310, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.arg_name_length='"$ARG_NAME_LENGTH"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if the length of any argument value is too high if [ -n "$ARG_LENGTH" ]; then sed -z -E -i 's/#SecAction.{6}id:900320.*tx\.arg_length=400\"/SecAction \\\n \"id:900320, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.arg_length='"$ARG_LENGTH"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if the total length of all combined arguments is too high if [ -n "$TOTAL_ARG_LENGTH" ]; then sed -z -E -i 's/#SecAction.{6}id:900330.*tx\.total_arg_length=64000\"/SecAction \\\n \"id:900330, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.total_arg_length='"$TOTAL_ARG_LENGTH"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if the total length of all combined arguments is too high if [ -n "$MAX_FILE_SIZE" ]; then sed -z -E -i 's/#SecAction.{6}id:900340.*tx\.max_file_size=1048576\"/SecAction \\\n \"id:900340, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.max_file_size='"$MAX_FILE_SIZE"'\"/' /etc/modsecurity.d/owasp-crs/crs-setup.conf -fi +fi # Block request if the total size of all combined uploaded files is too high if [ -n "$COMBINED_FILE_SIZES" ]; then