Update to CRS v4.1

.github/workflows/push.yml

@@ -23,7 +23,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/v')
         run: echo "VERSION=$(echo ${GITHUB_REF#refs/tags/})" >> ${GITHUB_ENV}
       - name: Build Image
-        run: docker build -t "${IMAGE}:${VERSION}" v3.3
+        run: docker build -t "${IMAGE}:${VERSION}" v4.1
       - name: Push Image to DockerHub
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}

.github/workflows/test.yml

@@ -5,13 +5,13 @@ on:
       - master
 
 jobs:
-  test_3_3:
-    name: Docker build v3.3
+  test_4_1:
+    name: Docker build v4.1
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Build image
-        run: docker build -t test v3.3
+        run: docker build -t test v4.1
       - name: Run image
         run: docker run -d --name apache test
       - name: Verify

README.md

@@ -16,10 +16,10 @@ Based on the official [`owasp/modsecurity-crs`](https://hub.docker.com/r/owasp/m
 
 * [![latest](
   https://img.shields.io/badge/latest-blue.svg?colorA=22313f&colorB=4a637b&logo=docker)](
-  https://github.com/vshn/modsecurity-docker/blob/master/v3.3/Dockerfile) based on [coreruleset/modsecurity-crs-docker](ttps://github.com/coreruleset/modsecurity-crs-docker) (ModSecurity 2, CRS v3.3.2)
-* [![3.3](
-  https://img.shields.io/badge/3.3-blue.svg?colorA=22313f&colorB=4a637b&logo=docker)](
-  https://github.com/vshn/modsecurity-docker/blob/master/v3.3/Dockerfile) based on [coreruleset/modsecurity-crs-docker](ttps://github.com/coreruleset/modsecurity-crs-docker) (ModSecurity 2, CRS v3.3.2)
+  https://github.com/vshn/modsecurity-docker/blob/master/v4.1/Dockerfile) based on [coreruleset/modsecurity-crs-docker](ttps://github.com/coreruleset/modsecurity-crs-docker) (ModSecurity 2, CRS v4.1.0)
+* [![4.1](
+  https://img.shields.io/badge/4.1-blue.svg?colorA=22313f&colorB=4a637b&logo=docker)](
+  https://github.com/vshn/modsecurity-docker/blob/master/v4.1/Dockerfile) based on [coreruleset/modsecurity-crs-docker](ttps://github.com/coreruleset/modsecurity-crs-docker) (ModSecurity 2, CRS v4.1.0)
 
 ## Usage
 
@@ -32,7 +32,7 @@ $ docker run -p 80:80 -it -e PARANOIA=4 --rm vshn/modsecurity bash
 With a Dockerfile:
 
 ```Dockerfile
-FROM docker.io/vshn/modsecurity:3.3
+FROM docker.io/vshn/modsecurity:4.1
 
 ENV PARANOIA=1 \
     ANOMALY_INBOUND=500 \
@@ -49,7 +49,7 @@ VOLUME /tmp/modsecurity
 With Docker Compose to start a ModSecurity and a httpbin container:
 
 ```console
-cd v3.3
+cd v4.1
 docker-compose up
 ```
 

v3.3/Dockerfile → v4.1/Dockerfile

@@ -1,4 +1,9 @@
-FROM docker.io/owasp/modsecurity-crs:3.3.5-apache-202402140602@sha256:2a6f6f3dbdcf5edda48606e1dd325f7fb785de7b2d22b70dcb03d692046c1d05
+FROM docker.io/owasp/modsecurity-crs:4.1.0-apache-202405050505@sha256:ce9ebaf23dc8d7c229e8a2eef500bcabf6756800ca3226de7553dd70d051feec
+
+# Upstream converted the image to run apache directly as user `httpd` instead of dropping privileges after start-up.
+# see: https://github.com/coreruleset/modsecurity-crs-docker/commit/f9c687500e343f05005739c3d2c72c1dc92b0ff1#diff-02c190dd34ee6ce466ae02364d954e15a049a0343ba71774688653550e4c82f6R215
+# and https://github.com/coreruleset/modsecurity-crs-docker/pull/227
+USER 0:0
 
 ENV APACHE_RUN_USER=www-data \
     APACHE_RUN_GROUP=root \
@@ -136,5 +141,9 @@ RUN mkdir -p \
 
 COPY entrypoint.sh /entrypoint.sh
 
+# See beginning of file and upstream PR:
+# https://github.com/coreruleset/modsecurity-crs-docker/pull/227/files#diff-02c190dd34ee6ce466ae02364d954e15a049a0343ba71774688653550e4c82f6R215
+USER httpd
+
 ENTRYPOINT [ "/entrypoint.sh" ]
 CMD ["apachectl", "-D", "FOREGROUND"]