From 2fa577f7e5b6c49518951a877f3983cef66a14ff Mon Sep 17 00:00:00 2001 From: Peter Bittner Date: Thu, 20 Feb 2020 12:40:47 +0100 Subject: [PATCH 1/2] Use cleaner approach to include ModSecurity config --- v2-apache/Dockerfile | 26 +++++++++------------- v2-apache/httpd-logging-after-modsec.conf | 0 v2-apache/httpd-logging-before-modsec.conf | 18 --------------- 3 files changed, 11 insertions(+), 33 deletions(-) delete mode 100644 v2-apache/httpd-logging-after-modsec.conf delete mode 100644 v2-apache/httpd-logging-before-modsec.conf diff --git a/v2-apache/Dockerfile b/v2-apache/Dockerfile index 2c92cf8..e1c8ded 100644 --- a/v2-apache/Dockerfile +++ b/v2-apache/Dockerfile @@ -72,23 +72,19 @@ COPY --from=build /usr/local/lib/libfuzzy.so.2.1.0 / COPY --from=build /usr/local/bin/ssdeep /usr/local/bin/ssdeep COPY --from=build /usr/share/TLS/server.key /usr/local/apache2/conf/server.key COPY --from=build /usr/share/TLS/server.crt /usr/local/apache2/conf/server.crt -COPY httpd-logging-before-modsec.conf /usr/local/apache2/conf/extra/httpd-logging-before-modsec.conf -COPY httpd-logging-after-modsec.conf /usr/local/apache2/conf/extra/httpd-logging-after-modsec.conf -RUN ln -s libfuzzy.so.2.1.0 /usr/local/lib/libfuzzy.so && \ - ln -s libfuzzy.so.2.1.0 /usr/local/lib/libfuzzy.so.2 && \ - ldconfig +RUN ln -s libfuzzy.so.2.1.0 /usr/local/lib/libfuzzy.so \ + && ln -s libfuzzy.so.2.1.0 /usr/local/lib/libfuzzy.so.2 \ + && ldconfig -RUN sed -i -e 's/#LoadModule unique_id_module/LoadModule unique_id_module/g' /usr/local/apache2/conf/httpd.conf && \ - sed -i -e 's/ServerTokens Full/ServerTokens Prod/g' /usr/local/apache2/conf/extra/httpd-default.conf && \ - sed -i -e 's/#CustomLog "logs\/access_log" combined/Include conf\/extra\/httpd-logging-before-modsec.conf/' /usr/local/apache2/conf/httpd.conf && \ - echo "LoadModule security2_module /usr/local/apache2/modules/mod_security2.so" >> /usr/local/apache2/conf/httpd.conf && \ - echo "Include conf/extra/httpd-default.conf" >> /usr/local/apache2/conf/httpd.conf && \ - echo "\nInclude /etc/modsecurity.d/include.conf\n" >> /usr/local/apache2/conf/httpd.conf && \ - echo "include \"/etc/modsecurity.d/modsecurity.conf\"" > /etc/modsecurity.d/include.conf && \ - echo "Include conf/extra/httpd-logging-after-modsec.conf" >> /usr/local/apache2/conf/httpd.conf && \ - echo "ServerName \${SERVERNAME}" >> /usr/local/apache2/conf/httpd.conf && \ - echo "hello world" > /usr/local/apache2/htdocs/index.html +RUN sed -i -E 's|(ServerTokens) Full|\1 Prod|' /usr/local/apache2/conf/extra/httpd-default.conf \ + && sed -i -E 's|#(Include conf/extra/httpd-default.conf)|\1|' /usr/local/apache2/conf/httpd.conf \ + && sed -i -E 's|#(ServerName) www.example.com:80|\1 ${SERVERNAME}|' /usr/local/apache2/conf/httpd.conf \ + && sed -i -E 's|#(LoadModule unique_id_module)|\1|' /usr/local/apache2/conf/httpd.conf \ + && echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf \ + && echo 'LoadModule security2_module /usr/local/apache2/modules/mod_security2.so' > /usr/local/apache2/conf/extra/httpd-modsecurity.conf \ + && echo 'Include /etc/modsecurity.d/include.conf' >> /usr/local/apache2/conf/extra/httpd-modsecurity.conf \ + && echo 'Include /etc/modsecurity.d/modsecurity.conf' > /etc/modsecurity.d/include.conf RUN if [ "$SETTLS" = "True" ]; then \ echo "setting TLS"; \ diff --git a/v2-apache/httpd-logging-after-modsec.conf b/v2-apache/httpd-logging-after-modsec.conf deleted file mode 100644 index e69de29..0000000 diff --git a/v2-apache/httpd-logging-before-modsec.conf b/v2-apache/httpd-logging-before-modsec.conf deleted file mode 100644 index 1067ff8..0000000 --- a/v2-apache/httpd-logging-before-modsec.conf +++ /dev/null @@ -1,18 +0,0 @@ -ErrorLog ${ERRORLOG} - -# For more information regarding the values in the extended log format -# and aliases and scripts to extract information please read: -# https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/ -# https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ -# The timeout variables are empty for now and will be filled later when CRS is loaded into the CRS container. - -LoadModule logio_module /usr/local/apache2/modules/mod_logio.so - -LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \ -\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \ -%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ -%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \ -%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \ -%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended - -CustomLog ${ACCESSLOG} extended From 74b9b6335639167e237181c0e20557aefd2f8395 Mon Sep 17 00:00:00 2001 From: Gabriel Saratura Date: Thu, 20 Feb 2020 17:14:23 +0100 Subject: [PATCH 2/2] Update workflow logic --- .github/workflows/dockerimage.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 3c1685e..bdb9831 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -1,8 +1,5 @@ name: Build images for Docker Hub -on: - push: - branches: - - master +on: push jobs: build: runs-on: ubuntu-latest @@ -28,4 +25,5 @@ jobs: --tag owasp/modsecurity:$(./version.sh ${{ matrix.image }} -vvv) - name: Push ${{ matrix.image }} + if: github.ref == 'refs/heads/master' run: docker push owasp/modsecurity