chore: improve dynamic module handling for nginx

docker-bake.hcl

@@ -59,8 +59,8 @@ variable "REPOS" {
 variable "nginx-dynamic-modules" {
     # List of dynamic modules to include in the nginx build
     default = [
-        "owasp-modsecurity/ModSecurity-nginx",
-        "openresty/headers-more-nginx-module"
+        {owner: "owasp-modsecurity", name: "ModSecurity-nginx", version: "v1.0.3"},
+        {owner: "openresty", name: "headers-more-nginx-module", version: "master"}
     ]
 }
 
@@ -150,8 +150,7 @@ target "nginx" {
     args = {
         LUA_MODULES = join(" ", lua-modules-debian)
         NGINX_VERSION = "${nginx-version}"
-        NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules)
-        MODSECURITY_NGINX_VERSION = "${modsecurity-nginx-version}"
+        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
     }
     tags = concat(tag("nginx"),
         vtag("${crs-version}", "nginx")
@@ -163,9 +162,8 @@ target "nginx-alpine" {
     dockerfile="nginx/Dockerfile-alpine"
     args = {
         LUA_MODULES = join(" ", lua-modules-alpine)
-        NGINX_DYNAMIC_MODULES = join(" ", nginx-dynamic-modules)
         NGINX_VERSION = "${nginx-version}"
-        MODSECURITY_NGINX_VERSION = "${modsecurity-nginx-version}"
+        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
     }
     tags = concat(tag("nginx-alpine"),
         vtag("${crs-version}", "nginx-alpine")

nginx/Dockerfile

@@ -6,7 +6,6 @@ ARG MODSEC3_VERSION="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
-ARG MODSECURITY_NGINX_VERSION="n/a"
 
 USER root
 
@@ -60,15 +59,15 @@ RUN set -eux; \
 # Build modules
 RUN set -eux; \
     modules=""; \
-    for module in ${NGINX_DYNAMIC_MODULES}; \
+    set -- ${NGINX_DYNAMIC_MODULES}; \
+    while [ ${#} -gt 0 ]; \
     do \
-        repo=$(echo "${module}" | awk -F'/' '{print $2}'); \
-        if [ "${module}" == "owasp-modsecurity/ModSecurity-nginx" ]; then \
-          git clone -b v${MODSECURITY_NGINX_VERSION} --depth 1 "https://github.com/${module}.git"; \
-        else \
-          git clone -b master --depth 1 "https://github.com/${module}.git"; \
-        fi; \
-        modules="${modules} --add-dynamic-module=../${repo}"; \
+        owner="${1}"; \
+        name="${2}"; \
+        version="${3}"; \
+        shift 3; \
+        git clone -b "${version}" --depth 1 "https://github.com/${owner}/${name}.git"; \
+        modules="${modules} --add-dynamic-module=../${name}"; \
     done; \
     curl -sSL "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \

nginx/Dockerfile-alpine

@@ -1,11 +1,10 @@
 ARG NGINX_VERSION="n/a"
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine@sha256:10484850d007b13fe46c1d03dfcc9e3e77eb347889b999ac57c9f693039e3e0f AS build
+FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS build
 
 ARG MODSEC3_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
-ARG MODSECURITY_NGINX_VERSION="n/a"
 
 USER root
 
@@ -56,15 +55,15 @@ RUN set -eux; \
    # Build modules
 RUN set -eux; \
     modules=""; \
-    for module in ${NGINX_DYNAMIC_MODULES}; \
+    set -- ${NGINX_DYNAMIC_MODULES}; \
+    while [ ${#} -gt 0 ]; \
     do \
-        repo=$(echo "${module}" | awk -F'/' '{print $2}'); \
-        if [ "${module}" == "owasp-modsecurity/ModSecurity-nginx" ]; then \
-          git clone -b v${MODSECURITY_NGINX_VERSION} --depth 1 "https://github.com/${module}.git"; \
-        else \
-          git clone -b master --depth 1 "https://github.com/${module}.git"; \
-        fi; \
-        modules="${modules} --add-dynamic-module=../${repo}"; \
+        owner="${1}"; \
+        name="${2}"; \
+        version="${3}"; \
+        shift 3; \
+        git clone -b "${version}" --depth 1 "https://github.com/${owner}/${name}.git"; \
+        modules="${modules} --add-dynamic-module=../${name}"; \
     done; \
     curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
@@ -83,7 +82,7 @@ RUN set -eux; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe2048.txt -o /usr/share/TLS/dhparam-2048.pem; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe4096.txt -o /usr/share/TLS/dhparam-4096.pem
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine@sha256:10484850d007b13fe46c1d03dfcc9e3e77eb347889b999ac57c9f693039e3e0f AS crs_release
+FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS crs_release
 
 ARG CRS_RELEASE