Merge pull request #1 from uc-cdis/chore/modsecurity

Chore/modsecurity

Dockerfile

@@ -0,0 +1,67 @@
+FROM ubuntu:18.04
+
+#
+# point at nginx apt package repo, and install nginx,
+# pre-package modules, and build dependencies
+# https://nginx.org/en/linux_packages.html#Ubuntu
+#
+RUN apt-get update && \
+    apt -y install curl gnupg2 ca-certificates lsb-release git less && \
+    echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
+    | tee /etc/apt/sources.list.d/nginx.list && \
+    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
+    | tee /etc/apt/sources.list.d/nginx.list && \
+    curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -&& \
+    apt-key fingerprint ABF5BD827BD9BF62 && \
+    apt update && \
+    apt install nginx nginx-module-njs nginx-module-perl -y && \
+    apt-get install -y dnsutils git wget build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf vim && \
+    apt clean && \
+    ln -sf /dev/stdout /var/log/nginx/access.log && \
+	  ln -sf /dev/stderr /var/log/nginx/error.log
+
+#
+# Put compiled module source under /usr/src
+#
+WORKDIR /usr/src
+
+#
+# build libmodsecurity
+#    https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
+#
+RUN git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/src/modsecurity && \
+	cd /usr/src/modsecurity && \
+  git submodule init && \
+  git submodule update && \
+	./build.sh && \
+	./configure && \
+	make && \
+  make install
+
+#
+# download nginx headers-more module:
+#    https://github.com/openresty/headers-more-nginx-module
+#
+# download the modsecurity nginx connector
+#   https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/#    https://drive.google.com/drive/u/1/folders/1ky_9gL_stSEHupRty6EjFBefRPW4qJGj
+#
+# 
+RUN wget https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz && \
+	tar xvzf v0.33.tar.gz && \
+  git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
+
+#
+# download nginx source, and build the nginx modules
+#   https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/
+#
+RUN nginver=$(nginx -v 2>&1 | awk -F / '{ print $2 }') && \
+    wget http://nginx.org/download/nginx-${nginver}.tar.gz && \
+    tar zxvf nginx-${nginver}.tar.gz && \
+    cd nginx-$nginver && \
+    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module-0.33 && \
+    make modules && \
+    cp objs/*.so /etc/nginx/modules
+
+EXPOSE 80
+STOPSIGNAL SIGTERM
+CMD nginx -g 'daemon off;'

Jenkinsfile

@@ -0,0 +1,7 @@
+#!groovy
+
+@Library('cdis-jenkins-lib@master') _
+
+testPipeline {
+  quayRegistry = "nginx"
+}

README.md

@@ -1,12 +1,51 @@
-# About this Repo
+# TL;DR
 
-This is the Git repo of the official Docker image for [nginx](https://registry.hub.docker.com/_/nginx/). See the
-Hub page for the full readme on how to use the Docker image and for information
-regarding contributing and issues.
+Custom nginx build with modsecurity
 
-The full readme is generated over in [docker-library/docs](https://github.com/docker-library/docs),
-specificially in [docker-library/docs/nginx](https://github.com/docker-library/docs/tree/master/nginx).
+## Overview
 
-## CTDS Additions
+Why do we build our own nginx rather than just use a stock image?
+We need the following nginx modules in an open source nginx build:
 
-Add more_headers module to mainline/alpine-perl
+* perl
+* more-headers
+* modsecurity
+
+## Resources
+
+* modsecurity e-book on our shared Google drive: https://drive.google.com/drive/u/1/folders/1ky_9gL_stSEHupRty6EjFBefRPW4qJGj
+* modsecurity directives: https://github.com/SpiderLabs/ModSecurity-nginx
+* https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
+* example Docker with static module: https://github.com/theonemule/docker-waf/blob/master/waf/Dockerfile
+* https://nginx.org/en/linux_packages.html#mainline
+* building dynamic modules: https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/?_ga=2.124028234.1768100344.1574456112-1181068452.1536598294
+
+```
+The njs dynamic modules for nginx have been installed.
+To enable these modules, add the following to /etc/nginx/nginx.conf
+and reload nginx:
+
+    load_module modules/ngx_http_js_module.so;
+    load_module modules/ngx_stream_js_module.so;
+
+Please refer to the modules documentation for further details:
+http://nginx.org/en/docs/njs/
+http://nginx.org/en/docs/http/ngx_http_js_module.html
+http://nginx.org/en/docs/stream/ngx_stream_js_module.html
+
+----------------------------------------------------------------------
+Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
+Setting up nginx-module-perl (1.17.6-1~bionic) ...
+----------------------------------------------------------------------
+
+The Perl dynamic module for nginx has been installed.
+To enable this module, add the following to /etc/nginx/nginx.conf
+and reload nginx:
+
+    load_module modules/ngx_http_perl_module.so;
+
+Please refer to the module documentation for further details:
+http://nginx.org/en/docs/http/ngx_http_perl_module.html
+
+----------------------------------------------------------------------
+```