From f27602dce31e2261c4ad103cd1c1f8e5f286fc72 Mon Sep 17 00:00:00 2001
From: Xiangsong Zeng <xiangsong.zeng@outlook.com>
Date: Fri, 22 Nov 2024 20:05:58 +0800
Subject: [PATCH] Add more modules (#4)

* add module ModSecurity-nginx
* add module naxsi
* add module iconv-nginx-module
* add module nginx-otel
* add module ngx_devel_kit
* add module replace-filter-nginx-module
---
 .github/workflows/ci.yml            |  5 +-
 .gitmodules                         | 21 +++++++++
 Dockerfile                          | 71 +++++++++++++++++++++--------
 modules/ModSecurity-nginx           |  1 +
 modules/iconv-nginx-module          |  1 +
 modules/naxsi                       |  1 +
 modules/nginx-otel                  |  1 +
 modules/ngx_devel_kit               |  1 +
 modules/replace-filter-nginx-module |  1 +
 third-deps/sregex                   |  1 +
 10 files changed, 82 insertions(+), 22 deletions(-)
 create mode 160000 modules/ModSecurity-nginx
 create mode 160000 modules/iconv-nginx-module
 create mode 160000 modules/naxsi
 create mode 160000 modules/nginx-otel
 create mode 160000 modules/ngx_devel_kit
 create mode 160000 modules/replace-filter-nginx-module
 create mode 160000 third-deps/sregex

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 089ca90..bf12a95 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
       NGINX_VERSION: 1.27.2
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -45,7 +45,8 @@ jobs:
           context: .
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           tags: ${{ env.PUSH_TAGS }}
-          platforms: linux/amd64,linux/arm64
+          # Only build multi-platform images on push to Docker Hub for reducing build time
+          platforms: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
diff --git a/.gitmodules b/.gitmodules
index 418f483..5717724 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -28,3 +28,24 @@
 [submodule "modules/njs-acme"]
 	path = modules/njs-acme
 	url = https://github.com/nginx/njs-acme.git
+[submodule "modules/iconv-nginx-module"]
+	path = modules/iconv-nginx-module
+	url = https://github.com/calio/iconv-nginx-module.git
+[submodule "modules/ngx_devel_kit"]
+	path = modules/ngx_devel_kit
+	url = https://github.com/vision5/ngx_devel_kit.git
+[submodule "modules/replace-filter-nginx-module"]
+	path = modules/replace-filter-nginx-module
+	url = https://github.com/openresty/replace-filter-nginx-module.git
+[submodule "third-deps/sregex"]
+	path = third-deps/sregex
+	url = https://github.com/openresty/sregex.git
+[submodule "modules/ModSecurity-nginx"]
+	path = modules/ModSecurity-nginx
+	url = https://github.com/owasp-modsecurity/ModSecurity-nginx.git
+[submodule "modules/naxsi"]
+	path = modules/naxsi
+	url = https://github.com/wargio/naxsi.git
+[submodule "modules/nginx-otel"]
+	path = modules/nginx-otel
+	url = https://github.com/nginxinc/nginx-otel.git
diff --git a/Dockerfile b/Dockerfile
index 64dac29..9408ebc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,14 +11,22 @@ RUN set -ex \
     && apt-get install -y --no-install-recommends \
         build-essential \
         git \
+        cmake \
+        bison \
         automake \
         autoconf \
         libtool \
+        patchelf \
         ca-certificates \
         curl \
         libssl-dev \
         libpcre3-dev \
-        zlib1g-dev
+        zlib1g-dev \
+        libmodsecurity-dev \
+        libgrpc-dev \
+        libgrpc++-dev \
+        libprotobuf-dev \
+        protobuf-compiler-grpc
 
 # install build dependencies for additional dynamic modules
 RUN set -ex \
@@ -29,18 +37,28 @@ RUN set -ex \
         libmaxminddb-dev \
         libxslt1-dev
 
-# copy dynamic modules source code
+# copy nginx source code, modules, and third-party dependencies
 COPY ./nginx                        /usr/src/nginx
-COPY ./modules/njs                  /usr/src/njs
-COPY ./modules/ngx_brotli           /usr/src/ngx_brotli
-COPY ./modules/nginx-module-vts     /usr/src/nginx-module-vts
-COPY ./modules/ngx_http_geoip2_module \
-                                    /usr/src/ngx_http_geoip2_module
-COPY ./modules/ngx-fancyindex       /usr/src/ngx-fancyindex
-COPY ./modules/ngx_http_substitutions_filter_module \
-                                    /usr/src/ngx_http_substitutions_filter_module
-COPY ./modules/headers-more-nginx-module \
-                                    /usr/src/headers-more-nginx-module
+COPY ./modules                      /usr/src/modules
+COPY ./third-deps                   /usr/src/third-deps
+
+# build third-party dependencies
+RUN set -ex \
+# sregex, required by replace-filter-nginx-module
+    && cd /usr/src/third-deps/sregex \
+    && make install PREFIX=/opt/sregex
+
+ENV SREGEX_INC=/opt/sregex/include
+ENV SREGEX_LIB=/opt/sregex/lib
+ENV NGX_OTEL_CMAKE_OPTS="-D NGX_OTEL_GRPC=package"
+
+# patch all .so file soname use absolute path
+RUN set -ex \
+    && find /opt -name 'lib*.so*' -exec patchelf --set-soname {} {} \;
+
+# patch nginx-otel CMakeLists.txt find_package(protobuf) to find_package(Protobuf)
+RUN set -ex \
+    && sed -i 's/find_package(protobuf REQUIRED)/find_package(Protobuf REQUIRED)/' /usr/src/modules/nginx-otel/CMakeLists.txt
 
 RUN set -ex \
     && cd /usr/src/nginx \
@@ -52,14 +70,20 @@ RUN set -ex \
         --with-http_image_filter_module=dynamic \
         --with-http_geoip_module=dynamic \
         --with-stream_geoip_module=dynamic \
-        --add-dynamic-module=/usr/src/njs/nginx \
+        --add-dynamic-module=/usr/src/modules/njs/nginx \
 # third-party dynamic modules
-        --add-dynamic-module=/usr/src/ngx_brotli \
-        --add-dynamic-module=/usr/src/nginx-module-vts \
-        --add-dynamic-module=/usr/src/ngx_http_geoip2_module \
-        --add-dynamic-module=/usr/src/ngx-fancyindex \
-        --add-dynamic-module=/usr/src/ngx_http_substitutions_filter_module \
-        --add-dynamic-module=/usr/src/headers-more-nginx-module \
+        --add-dynamic-module=/usr/src/modules/ngx_brotli \
+        --add-dynamic-module=/usr/src/modules/nginx-module-vts \
+        --add-dynamic-module=/usr/src/modules/ngx_http_geoip2_module \
+        --add-dynamic-module=/usr/src/modules/ngx-fancyindex \
+        --add-dynamic-module=/usr/src/modules/ngx_http_substitutions_filter_module \
+        --add-dynamic-module=/usr/src/modules/replace-filter-nginx-module \
+        --add-dynamic-module=/usr/src/modules/headers-more-nginx-module \
+        --add-dynamic-module=/usr/src/modules/ngx_devel_kit \
+        --add-dynamic-module=/usr/src/modules/iconv-nginx-module \
+        --add-dynamic-module=/usr/src/modules/ModSecurity-nginx \
+        --add-dynamic-module=/usr/src/modules/naxsi/naxsi_src \
+        --add-dynamic-module=/usr/src/modules/nginx-otel \
         | bash -x \
 # build modules
     && make modules -j$(nproc) \
@@ -70,7 +94,7 @@ RUN set -ex \
 
 # build njs command-line utility
 RUN set -ex \
-    && cd /usr/src/njs \
+    && cd /usr/src/modules/njs \
     && ./configure \
     && make njs -j$(nproc) \
     && cp ./build/njs /usr/bin/njs \
@@ -104,7 +128,9 @@ RUN rm -rf /usr/lib/nginx/modules
 
 # copy build artifacts from builder stage
 COPY --from=builder /usr/lib/nginx/modules /usr/lib/nginx/modules
+COPY --from=builder /opt/sregex/lib /opt/sregex/lib
 COPY --from=builder /usr/bin/njs /usr/bin/njs
+COPY --from=builder usr/src/modules/naxsi/naxsi_rules /etc/nginx/naxsi
 COPY --from=builder /usr/share/GeoIP /usr/share/GeoIP
 COPY --from=njs-acme-builder /app/dist/acme.js /usr/lib/nginx/njs_modules/acme.js
 
@@ -118,4 +144,9 @@ RUN set -ex \
         libxslt1.1 \
         libmaxminddb0 \
         libzstd1 \
+        libgrpc29 \
+        libgrpc++1.51 \
+        libprotobuf32 \
+        libmodsecurity3 \
+        modsecurity-crs \
     && rm -rf /var/lib/apt/lists/*
diff --git a/modules/ModSecurity-nginx b/modules/ModSecurity-nginx
new file mode 160000
index 0000000..ef64996
--- /dev/null
+++ b/modules/ModSecurity-nginx
@@ -0,0 +1 @@
+Subproject commit ef64996aedd4bb5fa1831631361244813d48b82f
diff --git a/modules/iconv-nginx-module b/modules/iconv-nginx-module
new file mode 160000
index 0000000..9d5d79d
--- /dev/null
+++ b/modules/iconv-nginx-module
@@ -0,0 +1 @@
+Subproject commit 9d5d79d9de2d4630ac8f328270aa8cc8ff2c0c66
diff --git a/modules/naxsi b/modules/naxsi
new file mode 160000
index 0000000..a0c7694
--- /dev/null
+++ b/modules/naxsi
@@ -0,0 +1 @@
+Subproject commit a0c7694b09bc0b5cd9d66d95ccc955d08b776b12
diff --git a/modules/nginx-otel b/modules/nginx-otel
new file mode 160000
index 0000000..6c1659a
--- /dev/null
+++ b/modules/nginx-otel
@@ -0,0 +1 @@
+Subproject commit 6c1659a20ba946cdde21e9dbc52e7c740b06d968
diff --git a/modules/ngx_devel_kit b/modules/ngx_devel_kit
new file mode 160000
index 0000000..91e30eb
--- /dev/null
+++ b/modules/ngx_devel_kit
@@ -0,0 +1 @@
+Subproject commit 91e30eb05085e7f9762f130cbb883a0e753cf74d
diff --git a/modules/replace-filter-nginx-module b/modules/replace-filter-nginx-module
new file mode 160000
index 0000000..0b432c6
--- /dev/null
+++ b/modules/replace-filter-nginx-module
@@ -0,0 +1 @@
+Subproject commit 0b432c649d2dc27ca7cf122ed06ff24fd9d7b3cf
diff --git a/third-deps/sregex b/third-deps/sregex
new file mode 160000
index 0000000..c275d22
--- /dev/null
+++ b/third-deps/sregex
@@ -0,0 +1 @@
+Subproject commit c275d2291f5b7f1b3dea6b2c1f7818791360cca8