Sync

build/Dockerfile

@@ -527,6 +527,33 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& if [ "${NGINX_AGENT}" = "true" ]; then agent.sh; fi \
 	&& dnf clean all
 
+############################################# GRAAL: ModSecurity #############################################
+FROM ${BUILD_OS} AS modsecurity-lib
+ARG MS_NGINX_VERSION=1.23.2
+
+RUN apt-get update && apt-get install -y -q --fix-missing --no-install-recommends apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
+RUN git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity \
+    && cd ModSecurity \
+    && git submodule init \
+    && git submodule update \
+    && ./build.sh \
+    && ./configure \
+    && make \
+    && make install \
+    && cd .. \
+    && ls -all /usr/local/lib
+
+RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
+
+# Get nginx to build against
+RUN curl -sS -O -L http://nginx.org/download/nginx-${MS_NGINX_VERSION}.tar.gz \
+	&& tar zxvf nginx-${MS_NGINX_VERSION}.tar.gz && rm -f nginx-${MS_NGINX_VERSION}.tar.gz \
+    && cd nginx-${MS_NGINX_VERSION} \
+    && ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx \
+    && make modules \
+    && cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules \
+    && cd .. \
+    && ls -all /usr/local/lib
 
 ############################################# Create common files, permissions and setcap #############################################
 FROM ${BUILD_OS} AS common
@@ -538,6 +565,38 @@ ARG NAP_MODULES=none
 
 ENV BUILD_OS=${BUILD_OS}
 
+# GRAAL: add modsecurity
+RUN apt-get update && apt-get install -y -q --fix-missing --no-install-recommends apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
+RUN --mount=type=bind,from=modsecurity-lib,target=/tmp/ot/ \
+    ls -all /tmp/ot/usr/local/modsecurity/ \
+    && ls -all /tmp/ot/usr/lib/nginx/modules/ \
+    && mkdir /usr/local/modsecurity \
+	&& cp -av -r /tmp/ot/usr/local/modsecurity /usr/local/ \
+	&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/ \
+	&& ldconfig /usr/local/lib/
+# /GRAAL
+
+# copy oidc files on plus build
+RUN --mount=type=bind,target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir -p /etc/nginx/oidc/ && cp -a /tmp/internal/configs/oidc/* /etc/nginx/oidc/
+
+# run only on nap waf build
+RUN --mount=type=bind,target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \
+	&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
+	&& touch /etc/nginx/waf/nac-usersigs/index.conf \
+	&& cp -a /tmp/build/log-default.json /etc/nginx
+
+# run only on nap dos build
+RUN [ -n "${NAP_MODULES##*dos*}" ] && exit 0; mkdir -p /root/app_protect_dos /etc/nginx/dos/policies /etc/nginx/dos/logconfs /shared/cores /var/log/adm /var/run/adm \
+	&& chmod 777 /shared/cores /var/log/adm /var/run/adm /etc/app_protect_dos
+
+RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /etc/nginx/stream-conf.d \
+	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+	&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
+	/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
+	&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
+	&& rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90pkgs-nginx /etc/apt/sources.list.d/nginx-plus.list
+
 RUN --mount=type=bind,target=/code \
 	--mount=type=bind,from=nginx-files,src=common.sh,target=/usr/local/bin/common.sh \
 	--mount=type=bind,from=nginx-files,src=patch-os.sh,target=/usr/local/bin/patch-os.sh \