Merge branch 'main' into build-apache-pcre2

coreruleset · Jul 22, 2024 · 8bda11a · 8bda11a
2 parents e4eceea + ea80719
commit 8bda11a
Show file tree

Hide file tree

Showing 21 changed files with 433 additions and 345 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,8 +1,8 @@
 name: Build and publish images for container registries
+
 on:
-  push:
-    branches:
-      - master
+  release:
+    types: [published]
 
 jobs:
   prepare:

diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -3,11 +3,11 @@ name: Verify Images
 on:
   pull_request:
     branches:
-      - master
-      - develop
-
+      - main
 env:
   REPO: "owasp/modsecurity-crs"
+  # sha256sum format: <hash><space><format (space for text)><file name>
+  MODSECURITY_RECOMMENDED: "d9e164c508218202eba13d37cf661baacb8600706e618ce93ccc91c74c51449e  modsecurity.conf-recommended"
 
 jobs:
   prepare:
@@ -20,6 +20,11 @@ jobs:
       - name: List targets
         id: generate
         uses: docker/bake-action/subaction/list-targets@v4
+      - name: Check modsecurity recommended
+        run: |
+          curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended
+          echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt
+          sha256sum -c sha256sum.txt
 
   build:
     runs-on: ubuntu-latest

diff --git a/README-containers.md b/README-containers.md
diff --git a/README.md b/README.md
diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION} as build
+FROM httpd:${HTTPD_VERSION} AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -36,7 +36,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION} as crs_release
+FROM httpd:${HTTPD_VERSION} AS crs_release
 
 ARG CRS_RELEASE
 
@@ -70,20 +70,24 @@ ENV \
     APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \
     APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
     APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
-    BACKEND=http://localhost:80 \
-    BACKEND_WS=ws://localhost:8080 \
+    BACKEND=http://localhost:8080 \
+    BACKEND_WS=ws://localhost:8081 \
     ERRORLOG='/proc/self/fd/2' \
     H2_PROTOCOLS='h2 http/1.1' \
     LOGLEVEL=warn \
     METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \
     METRICS_DENY_FROM='All' \
     METRICSLOG='/dev/null' \
+    MODSEC_ARGUMENT_SEPARATOR="&" \
+    MODSEC_ARGUMENTS_LIMIT=1000 \
     MODSEC_AUDIT_ENGINE="RelevantOnly" \
     MODSEC_AUDIT_LOG=/dev/stdout \
     MODSEC_AUDIT_LOG_FORMAT=JSON \
     MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \
+    MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_COOKIE_FORMAT=0 \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \
@@ -107,9 +111,12 @@ ENV \
     MODSEC_TAG=modsecurity \
     MODSEC_TMP_DIR=/tmp/modsecurity/tmp \
     MODSEC_TMP_SAVE_UPLOADED_FILES="on" \
+    MODSEC_UNICODE_MAPPING=20127 \
     MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
+    MODSEC_UPLOAD_FILE_MODE=0600 \
+    MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
     MUTEX='default' \
-    PORT=80 \
+    PORT=8080 \
     PROXY_ERROR_OVERRIDE=on \
     PROXY_PRESERVE_HOST=on \
     PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \
@@ -133,7 +140,7 @@ ENV \
     SSL_ENGINE=on \
     SSL_HONOR_CIPHER_ORDER=off \
     SSL_OCSP_STAPLING=On \
-    SSL_PORT=443 \
+    SSL_PORT=8443 \
     SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \
     SSL_SESSION_TICKETS=off \
     TIMEOUT=60 \
@@ -144,9 +151,8 @@ ENV \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1
 
-COPY --from=build /usr/local/apache2/modules/mod_security2.so                  /usr/local/apache2/modules/mod_security2.so
-COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/modsecurity.conf-recommended  /etc/modsecurity.d/modsecurity.conf
-COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapping               /etc/modsecurity.d/unicode.mapping
+COPY --from=build /usr/local/apache2/modules/mod_security2.so /usr/local/apache2/modules/mod_security2.so
+COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapping /etc/modsecurity.d/unicode.mapping
 COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/bin/* /usr/local/bin/
@@ -174,12 +180,13 @@ RUN set -eux; \
     apt-get clean; \
     rm -rf /var/lib/apt/lists/*
 
+RUN useradd --system httpd
+
 RUN set -eux; \
     mkdir -p /etc/modsecurity.d/; \
     mkdir -p /tmp/modsecurity/data; \
     mkdir -p /tmp/modsecurity/upload; \
     mkdir -p /tmp/modsecurity/tmp; \
-    chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity; \
     mkdir -p /var/log/apache2/; \
     ln -s /opt/owasp-crs /etc/modsecurity.d/; \
     sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \
@@ -205,8 +212,14 @@ RUN set -eux; \
     echo 'Include conf/extra/httpd-locations.conf' >> /usr/local/apache2/conf/httpd.conf; \
     echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf; \
     sed -i -E 's|(MaxRequestWorkers[ ]*)[0-9]*|\1${WORKER_CONNECTIONS}|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    chgrp -R 0 /var/log/ /usr/local/apache2/; \
-    chmod -R g=u /var/log/ /usr/local/apache2/
+    chown -R httpd:httpd \
+        /var/log/ \
+        /usr/local/apache2/ \
+        /etc/modsecurity.d \
+        /tmp/modsecurity \
+        /opt/owasp-crs
+
+USER httpd
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION}-alpine as build
+FROM httpd:${HTTPD_VERSION}-alpine AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -46,7 +46,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION}-alpine as crs_release
+FROM httpd:${HTTPD_VERSION}-alpine AS crs_release
 
 ARG CRS_RELEASE
 
@@ -80,20 +80,24 @@ ENV \
     APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \
     APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
     APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \
-    BACKEND=http://localhost:80 \
-    BACKEND_WS=ws://localhost:8080 \
+    BACKEND=http://localhost:8080 \
+    BACKEND_WS=ws://localhost:8081 \
     ERRORLOG='/proc/self/fd/2' \
     H2_PROTOCOLS='h2 http/1.1' \
     LOGLEVEL=warn \
     METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \
     METRICS_DENY_FROM='All' \
     METRICSLOG='/dev/null' \
+    MODSEC_ARGUMENT_SEPARATOR="&" \
+    MODSEC_ARGUMENTS_LIMIT=1000 \
     MODSEC_AUDIT_ENGINE="RelevantOnly" \
     MODSEC_AUDIT_LOG=/dev/stdout \
     MODSEC_AUDIT_LOG_FORMAT=JSON \
     MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \
+    MODSEC_AUDIT_LOG_RELEVANT_STATUS="^(?:5|4(?!04))" \
     MODSEC_AUDIT_LOG_TYPE=Serial \
-    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
+    MODSEC_COOKIE_FORMAT=0 \
+    MODSEC_AUDIT_STORAGE_DIR=/var/log/modsecurity/audit/ \
     MODSEC_DATA_DIR=/tmp/modsecurity/data \
     MODSEC_DEBUG_LOG=/dev/null \
     MODSEC_DEBUG_LOGLEVEL=0 \
@@ -117,9 +121,12 @@ ENV \
     MODSEC_TAG=modsecurity \
     MODSEC_TMP_DIR=/tmp/modsecurity/tmp \
     MODSEC_TMP_SAVE_UPLOADED_FILES="on" \
+    MODSEC_UNICODE_MAPPING=20127 \
     MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
+    MODSEC_UPLOAD_FILE_MODE=0600 \
+    MODSEC_UPLOAD_KEEP_FILES=RelevantOnly \
     MUTEX='default' \
-    PORT=80 \
+    PORT=8080 \
     PROXY_ERROR_OVERRIDE=on \
     PROXY_PRESERVE_HOST=on \
     PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \
@@ -143,7 +150,7 @@ ENV \
     SSL_ENGINE=on \
     SSL_HONOR_CIPHER_ORDER=off \
     SSL_OCSP_STAPLING=On \
-    SSL_PORT=443 \
+    SSL_PORT=8443 \
     SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \
     SSL_SESSION_TICKETS=off \
     TIMEOUT=60 \
@@ -154,16 +161,17 @@ ENV \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1
 
-COPY --from=build /usr/local/apache2/modules/mod_security2.so                  /usr/local/apache2/modules/mod_security2.so
-COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/modsecurity.conf-recommended  /etc/modsecurity.d/modsecurity.conf
-COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapping               /etc/modsecurity.d/unicode.mapping
+COPY --from=build /usr/local/apache2/modules/mod_security2.so /usr/local/apache2/modules/mod_security2.so
+COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapping /etc/modsecurity.d/unicode.mapping
 COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/bin/* /usr/local/bin/
 COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
 COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
 COPY apache/docker-entrypoint.sh /
 
+RUN addgroup -S httpd && adduser -SH httpd httpd
+
 RUN set -eux; \
     apk add --no-cache \
         ca-certificates \
@@ -207,9 +215,14 @@ RUN set -eux; \
     mkdir -p /tmp/modsecurity/data; \
     mkdir -p /tmp/modsecurity/upload; \
     mkdir -p /tmp/modsecurity/tmp; \
-    chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity /var/log/apache2; \
-    chgrp -R 0 /var/log/ /usr/local/apache2/; \
-    chmod -R g=u /var/log/ /usr/local/apache2/
+    chown -R httpd:httpd \
+        /var/log/ \
+        /usr/local/apache2/ \
+        /etc/modsecurity.d \
+        /tmp/modsecurity \
+        /opt/owasp-crs
+
+USER httpd
 
 HEALTHCHECK CMD /usr/local/bin/healthcheck
 

diff --git a/apache/docker-entrypoint.sh b/apache/docker-entrypoint.sh
@@ -1,6 +1,7 @@
 #!/bin/sh -e
 
 /usr/local/bin/generate-certificate /usr/local/apache2
+/usr/local/bin/check-low-port
 
 . /opt/modsecurity/activate-plugins.sh
 . /opt/modsecurity/activate-rules.sh

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -1,32 +1,43 @@
 # docker-bake.hcl
 variable "modsec3-version" {
+    # renovate: depName=ModSecurity3 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
     default = "3.0.12"
 }
 
 variable "modsec2-version" {
+    # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
     default = "2.9.7"
 }
 
 variable "crs-version" {
-    default = "4.0.0"
+    # renovate: depName=coreruleset/coreruleset datasource=github-releases
+    default = "4.4.0"
 }
 
 variable "nginx-version" {
-    default = "1.25.3"
+    # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
+    default = "1.27.0"
 }
 
 variable "httpd-version" {
-    default = "2.4.58"
+    # renovate: depName=httpd datasource=docker
+    default = "2.4.62"
 }
 
 variable "openresty-version" {
+    # renovate: depName=openresty/openresty datasource=docker
     default = "1.25.3.1"
 }
 
 variable "lua-version" {
     default = "5.3"
 }
 
+variable "lmdb-version" {
+    default = "0.9.29"
+}
+
+
 variable "lua-modules-alpine" {
   default = [
     "lua-lzlib",
@@ -49,10 +60,6 @@ variable "lua-modules-luarocks" {
   ]
 }
 
-variable "lmdb-version" {
-    default = "0.9.29"
-}
-
 variable "REPOS" {
     # List of repositories to tag
     default = [
@@ -172,7 +179,7 @@ target "openresty-alpine-fat" {
     dockerfile="openresty/Dockerfile-alpine"
     args = {
         OPENRESTY_VERSION = "${openresty-version}"
-        NGINX_VERSION = "${nginx-version}"
+        NGINX_VERSION = patch(openresty-version)
         LUA_MODULES = join(" ", lua-modules-luarocks)
     }
     tags = concat(tag("openresty-alpine-fat"),

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -50,7 +50,8 @@ x-defaults: &default-settings
     # ALLOWED_REQUEST_CONTENT_TYPE_CHARSET: 'utf-8|iso-8859-1|iso-8859-15|windows-1252'
     # ALLOWED_HTTP_VERSIONS: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
     # RESTRICTED_EXTENSIONS: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-    # RESTRICTED_HEADERS: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
+    # RESTRICTED_HEADERS_BASIC: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/
+    # RESTRICTED_HEADERS_EXTENDED: /accept-charset/
     # STATIC_EXTENSIONS: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
 
     #######################################################
@@ -82,9 +83,9 @@ services:
   crs-apache:
     image: owasp/modsecurity-crs:apache
     ports:
-      - "80:80"
+      - "80:8080"
       # only available if SETTLS was enabled:      
-      - "443:443"
+      - "443:8443"
     <<: *default-settings
 
   crs-nginx:
@@ -93,4 +94,4 @@ services:
       - "80:8080"
       # only available if SETTLS was enabled:
       - "443:8443"
-    <<: *default-settings
+    <<: *default-settings