forked from nginxinc/docker-nginx
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from uc-cdis/chore/modsecurity
Chore/modsecurity
- Loading branch information
Showing
28 changed files
with
544 additions
and
1,389 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
FROM ubuntu:18.04 | ||
|
||
# | ||
# point at nginx apt package repo, and install nginx, | ||
# pre-package modules, and build dependencies | ||
# https://nginx.org/en/linux_packages.html#Ubuntu | ||
# | ||
RUN apt-get update && \ | ||
apt -y install curl gnupg2 ca-certificates lsb-release git less && \ | ||
echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ | ||
| tee /etc/apt/sources.list.d/nginx.list && \ | ||
echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \ | ||
| tee /etc/apt/sources.list.d/nginx.list && \ | ||
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -&& \ | ||
apt-key fingerprint ABF5BD827BD9BF62 && \ | ||
apt update && \ | ||
apt install nginx nginx-module-njs nginx-module-perl -y && \ | ||
apt-get install -y dnsutils git wget build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf vim && \ | ||
apt clean && \ | ||
ln -sf /dev/stdout /var/log/nginx/access.log && \ | ||
ln -sf /dev/stderr /var/log/nginx/error.log | ||
|
||
# | ||
# Put compiled module source under /usr/src | ||
# | ||
WORKDIR /usr/src | ||
|
||
# | ||
# build libmodsecurity | ||
# https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ | ||
# | ||
RUN git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/src/modsecurity && \ | ||
cd /usr/src/modsecurity && \ | ||
git submodule init && \ | ||
git submodule update && \ | ||
./build.sh && \ | ||
./configure && \ | ||
make && \ | ||
make install | ||
|
||
# | ||
# download nginx headers-more module: | ||
# https://github.com/openresty/headers-more-nginx-module | ||
# | ||
# download the modsecurity nginx connector | ||
# https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/# https://drive.google.com/drive/u/1/folders/1ky_9gL_stSEHupRty6EjFBefRPW4qJGj | ||
# | ||
# | ||
RUN wget https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz && \ | ||
tar xvzf v0.33.tar.gz && \ | ||
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git | ||
|
||
# | ||
# download nginx source, and build the nginx modules | ||
# https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/ | ||
# | ||
RUN nginver=$(nginx -v 2>&1 | awk -F / '{ print $2 }') && \ | ||
wget http://nginx.org/download/nginx-${nginver}.tar.gz && \ | ||
tar zxvf nginx-${nginver}.tar.gz && \ | ||
cd nginx-$nginver && \ | ||
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module-0.33 && \ | ||
make modules && \ | ||
cp objs/*.so /etc/nginx/modules | ||
|
||
EXPOSE 80 | ||
STOPSIGNAL SIGTERM | ||
CMD nginx -g 'daemon off;' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!groovy | ||
|
||
@Library('cdis-jenkins-lib@master') _ | ||
|
||
testPipeline { | ||
quayRegistry = "nginx" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,51 @@ | ||
# About this Repo | ||
# TL;DR | ||
|
||
This is the Git repo of the official Docker image for [nginx](https://registry.hub.docker.com/_/nginx/). See the | ||
Hub page for the full readme on how to use the Docker image and for information | ||
regarding contributing and issues. | ||
Custom nginx build with modsecurity | ||
|
||
The full readme is generated over in [docker-library/docs](https://github.com/docker-library/docs), | ||
specificially in [docker-library/docs/nginx](https://github.com/docker-library/docs/tree/master/nginx). | ||
## Overview | ||
|
||
## CTDS Additions | ||
Why do we build our own nginx rather than just use a stock image? | ||
We need the following nginx modules in an open source nginx build: | ||
|
||
Add more_headers module to mainline/alpine-perl | ||
* perl | ||
* more-headers | ||
* modsecurity | ||
|
||
## Resources | ||
|
||
* modsecurity e-book on our shared Google drive: https://drive.google.com/drive/u/1/folders/1ky_9gL_stSEHupRty6EjFBefRPW4qJGj | ||
* modsecurity directives: https://github.com/SpiderLabs/ModSecurity-nginx | ||
* https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ | ||
* example Docker with static module: https://github.com/theonemule/docker-waf/blob/master/waf/Dockerfile | ||
* https://nginx.org/en/linux_packages.html#mainline | ||
* building dynamic modules: https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/?_ga=2.124028234.1768100344.1574456112-1181068452.1536598294 | ||
|
||
``` | ||
The njs dynamic modules for nginx have been installed. | ||
To enable these modules, add the following to /etc/nginx/nginx.conf | ||
and reload nginx: | ||
load_module modules/ngx_http_js_module.so; | ||
load_module modules/ngx_stream_js_module.so; | ||
Please refer to the modules documentation for further details: | ||
http://nginx.org/en/docs/njs/ | ||
http://nginx.org/en/docs/http/ngx_http_js_module.html | ||
http://nginx.org/en/docs/stream/ngx_stream_js_module.html | ||
---------------------------------------------------------------------- | ||
Processing triggers for man-db (2.8.3-2ubuntu0.1) ... | ||
Setting up nginx-module-perl (1.17.6-1~bionic) ... | ||
---------------------------------------------------------------------- | ||
The Perl dynamic module for nginx has been installed. | ||
To enable this module, add the following to /etc/nginx/nginx.conf | ||
and reload nginx: | ||
load_module modules/ngx_http_perl_module.so; | ||
Please refer to the module documentation for further details: | ||
http://nginx.org/en/docs/http/ngx_http_perl_module.html | ||
---------------------------------------------------------------------- | ||
``` |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.