├── nginx ├── conf.d │ └── default.conf └── nginx.conf ├── LICENSE ├── README.md └── Dockerfile /nginx/conf.d/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | server_name _; 4 | 5 | ## Enable ModSecurity 6 | modsecurity on; 7 | modsecurity_rules_file /etc/nginx/modsecurity.d/include.conf; 8 | 9 | location /status { 10 | stub_status; 11 | } 12 | 13 | location ~ /\.ht { 14 | deny all; 15 | } 16 | 17 | location ~ /\.git { 18 | deny all; 19 | } 20 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Krishna Modi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Docker Automated build](https://img.shields.io/docker/automated/krish512/modsecurity.svg?style=for-the-badge)](https://hub.docker.com/r/krish512/modsecurity/) 2 | [![Docker Build Status](https://img.shields.io/docker/build/krish512/modsecurity.svg?style=for-the-badge)](https://hub.docker.com/r/krish512/modsecurity/) 3 | [![Docker Pulls](https://img.shields.io/docker/pulls/krish512/modsecurity.svg?style=for-the-badge)](https://hub.docker.com/r/krish512/modsecurity/) 4 | [![MicroBadger Size](https://img.shields.io/microbadger/image-size/krish512/modsecurity.svg?style=for-the-badge)](https://hub.docker.com/r/krish512/modsecurity/) 5 | 6 | # README # 7 | 8 | Nginx with Brotli compression, ModSecurity and OWASP ModSecurity Core Rule Set (CRS) v3.0.2 9 | 10 | ### What is this repository for? ### 11 | 12 | * Quick summary: 13 | Nginx docker image with Brotli compression, ModSecurity and ModSecurity Core Rule Set v3.0.2 based on Ubuntu Bionic (18.04) 14 | 15 | * Version 0.1 16 | * [Repository Link](https://github.com/krish512/docker_nginx_modsecurity.git) 17 | 18 | 19 | ### How do I get set up? ### 20 | 21 | * Usage: `docker pull krish512/modsecurity` 22 | 23 | * Test: `curl http://127.0.0.1:80/status?something=../../etc` should give response as HTTP 403 24 | 25 | ### Who do I talk to? ### 26 | 27 | * Repo owner or admin: 28 | `Krishna Modi ` 29 | -------------------------------------------------------------------------------- /nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | error_log /var/log/nginx/error.log warn; 4 | pid /run/nginx.pid; 5 | 6 | events { 7 | worker_connections 1024; 8 | } 9 | 10 | http { 11 | include /etc/nginx/mime.types; 12 | default_type application/octet-stream; 13 | 14 | sendfile on; 15 | tcp_nopush on; 16 | tcp_nodelay on; 17 | server_tokens off; 18 | 19 | keepalive_timeout 65; 20 | 21 | limit_req_status 429; 22 | limit_conn_status 429; 23 | 24 | limit_req_zone $http_x_forwarded_for zone=req_limit_per_ip_per_sec:10m rate=20r/s; 25 | 26 | client_body_buffer_size 10K; 27 | client_header_buffer_size 1k; 28 | client_max_body_size 16m; 29 | large_client_header_buffers 2 1k; 30 | 31 | log_format main '$http_x_forwarded_for - $remote_user [$time_local] ' 32 | '"$request" $status $body_bytes_sent "$http_referer" ' 33 | '"$http_user_agent"' ; 34 | 35 | log_format json_combined escape=json 36 | '{' 37 | '"time_local":"$time_local",' 38 | '"remote_addr":"$http_x_forwarded_for",' 39 | '"remote_user":"$remote_user",' 40 | '"request":"$request",' 41 | '"status": "$status",' 42 | '"host": "$http_host",' 43 | '"body_bytes_sent":"$body_bytes_sent",' 44 | '"request_time":"$request_time",' 45 | '"http_referrer":"$http_referer",' 46 | '"http_user_agent":"$http_user_agent"' 47 | '}'; 48 | 49 | access_log /var/log/nginx/access.log main buffer=32k; 50 | error_log /var/log/nginx/error.log; 51 | 52 | gzip on; 53 | gzip_disable "msie6"; 54 | 55 | gzip_vary on; 56 | gzip_proxied any; 57 | gzip_comp_level 6; 58 | gzip_buffers 16 8k; 59 | gzip_http_version 1.1; 60 | gzip_min_length 2048; 61 | gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript; 62 | 63 | brotli on; 64 | brotli_comp_level 11; 65 | brotli_static on; 66 | brotli_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript; 67 | 68 | include /etc/nginx/conf.d/*; 69 | } -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 as modsecurity-build 2 | LABEL maintainer="krish512 " 3 | 4 | # Install Prereqs 5 | ENV DEBIAN_FRONTEND noninteractive 6 | RUN apt-get update -qq && \ 7 | apt install -qq -y --no-install-recommends --no-install-suggests \ 8 | ca-certificates \ 9 | automake \ 10 | autoconf \ 11 | build-essential \ 12 | libcurl4-openssl-dev \ 13 | libpcre++-dev \ 14 | libtool \ 15 | libxml2-dev \ 16 | libyajl-dev \ 17 | lua5.2-dev \ 18 | git \ 19 | pkgconf \ 20 | ssdeep \ 21 | libgeoip-dev \ 22 | wget && \ 23 | apt-get clean && rm -rf /var/lib/apt/lists/* 24 | 25 | RUN cd /opt && \ 26 | git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && \ 27 | cd ModSecurity && \ 28 | git submodule init && \ 29 | git submodule update && \ 30 | ./build.sh && \ 31 | ./configure && \ 32 | make && \ 33 | make install 34 | 35 | RUN strip /usr/local/modsecurity/bin/* /usr/local/modsecurity/lib/*.a /usr/local/modsecurity/lib/*.so* 36 | 37 | 38 | FROM ubuntu:18.04 AS nginx-build 39 | 40 | ENV DEBIAN_FRONTEND noninteractive 41 | ENV NGINX_VERSION 1.15.0 42 | 43 | RUN apt-get update -qq && \ 44 | apt install -qq -y --no-install-recommends --no-install-suggests \ 45 | ca-certificates \ 46 | autoconf \ 47 | automake \ 48 | build-essential \ 49 | libtool \ 50 | pkgconf \ 51 | wget \ 52 | git \ 53 | zlib1g-dev \ 54 | libssl-dev \ 55 | libpcre3-dev \ 56 | libxml2-dev \ 57 | libyajl-dev \ 58 | lua5.2-dev \ 59 | libgeoip-dev \ 60 | libcurl4-openssl-dev \ 61 | openssl 62 | 63 | RUN cd /opt && \ 64 | git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git 65 | 66 | RUN cd /opt && \ 67 | git clone --recursive https://github.com/google/ngx_brotli.git 68 | 69 | COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/ 70 | 71 | RUN wget -q -P /opt https://nginx.org/download/nginx-"$NGINX_VERSION".tar.gz 72 | RUN tar xvzf /opt/nginx-"$NGINX_VERSION".tar.gz -C /opt 73 | 74 | RUN cd /opt/nginx-"$NGINX_VERSION" && \ 75 | ./configure \ 76 | --prefix=/usr/local/nginx \ 77 | --sbin-path=/usr/local/nginx/nginx \ 78 | --modules-path=/usr/local/nginx/modules \ 79 | --conf-path=/etc/nginx/nginx.conf \ 80 | --error-log-path=/var/log/nginx/error.log \ 81 | --http-log-path=/var/log/nginx/access.log \ 82 | --pid-path=/run/nginx.pid \ 83 | --lock-path=/var/lock/nginx.lock \ 84 | --user=www-data \ 85 | --group=www-data \ 86 | --with-pcre-jit \ 87 | --with-file-aio \ 88 | --with-threads \ 89 | --with-http_addition_module \ 90 | --with-http_auth_request_module \ 91 | --with-http_flv_module \ 92 | --with-http_gunzip_module \ 93 | --with-http_gzip_static_module \ 94 | --with-http_mp4_module \ 95 | --with-http_random_index_module \ 96 | --with-http_realip_module \ 97 | --with-http_slice_module \ 98 | --with-http_ssl_module \ 99 | --with-http_sub_module \ 100 | --with-http_stub_status_module \ 101 | --with-http_v2_module \ 102 | --with-http_secure_link_module \ 103 | --with-stream \ 104 | --with-stream_realip_module \ 105 | --add-module=/opt/ModSecurity-nginx \ 106 | --add-module=/opt/ngx_brotli \ 107 | --with-cc-opt='-g -O2 -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \ 108 | --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \ 109 | --with-http_dav_module 110 | 111 | RUN cd /opt/nginx-"$NGINX_VERSION" && \ 112 | make && \ 113 | make install && \ 114 | make modules 115 | 116 | RUN mkdir -p /var/log/nginx/ 117 | RUN touch /var/log/nginx/access.log 118 | RUN touch /var/log/nginx/error.log 119 | 120 | 121 | EXPOSE 80 122 | 123 | STOPSIGNAL SIGTERM 124 | 125 | CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"] 126 | 127 | 128 | FROM ubuntu:18.04 129 | 130 | ENV DEBIAN_FRONTEND noninteractive 131 | 132 | # Libraries for ModSecurity 133 | RUN apt update && \ 134 | apt-get install --no-install-recommends --no-install-suggests -y \ 135 | ca-certificates \ 136 | libcurl4-openssl-dev \ 137 | libyajl-dev \ 138 | lua5.2-dev \ 139 | libgeoip-dev \ 140 | vim \ 141 | libxml2 142 | RUN apt clean && \ 143 | rm -rf /var/lib/apt/lists/* 144 | 145 | COPY --from=modsecurity-build /usr/local/modsecurity/ /usr/local/modsecurity/ 146 | RUN ldconfig 147 | 148 | COPY --from=nginx-build /usr/local/nginx/nginx /usr/local/nginx/nginx 149 | 150 | COPY --from=nginx-build /etc/nginx /etc/nginx 151 | 152 | COPY --from=nginx-build /usr/local/nginx/html /usr/local/nginx/html 153 | 154 | # NGiNX Create log dirs 155 | RUN mkdir -p /var/log/nginx/ 156 | RUN touch /var/log/nginx/access.log 157 | RUN touch /var/log/nginx/error.log 158 | 159 | RUN sed -i '38i modsecurity on;\n\tmodsecurity_rules_file /etc/nginx/modsecurity.d/include.conf;' /etc/nginx/nginx.conf 160 | RUN mkdir -p /etc/nginx/modsecurity.d 161 | RUN echo "include /etc/nginx/modsecurity.d/modsecurity.conf" > /etc/nginx/modsecurity.d/include.conf 162 | COPY --from=modsecurity-build /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.d 163 | RUN cd /etc/nginx/modsecurity.d && \ 164 | mv modsecurity.conf-recommended modsecurity.conf 165 | 166 | ## Version for ModSecurity Core Rule Set 167 | ARG VERSION=3.0.2 168 | 169 | ## Install Curl 170 | RUN apt-get update && apt-get install curl -y && apt-get clean 171 | 172 | ## Get ModSecurity CRS 173 | RUN curl -s https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/tar.gz/v${VERSION} --output ~/modsec.tar.gz 174 | RUN tar -xzf ~/modsec.tar.gz -C /etc/nginx 175 | RUN rm ~/modsec.tar.gz 176 | 177 | ## Install ModSecurity CRS 178 | RUN cat /etc/nginx/owasp-modsecurity-crs-${VERSION}/crs-setup.conf.example /etc/nginx/owasp-modsecurity-crs-${VERSION}/rules/*.conf >> /etc/nginx/modsecurity.d/crs.conf 179 | RUN cp /etc/nginx/owasp-modsecurity-crs-${VERSION}/rules/*.data /etc/nginx/modsecurity.d/ 180 | RUN rm -rf /etc/nginx/owasp-modsecurity-crs-* 181 | RUN echo "include /etc/nginx/modsecurity.d/crs.conf">>/etc/nginx/modsecurity.d/include.conf 182 | RUN sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.d/modsecurity.conf 183 | 184 | ## Update nginx config 185 | COPY nginx /etc/nginx/ 186 | 187 | EXPOSE 80 188 | 189 | STOPSIGNAL SIGTERM 190 | 191 | CMD ["/usr/local/nginx/nginx", "-g", "daemon off;"] --------------------------------------------------------------------------------