NGINX App Protect updates (#88)

fabriziofiorucci · web-flow · commit c701963c8596 · 2023-03-27T09:14:23.000+02:00
diff --git a/nginx-agent-docker/Dockerfile b/nginx-agent-docker/Dockerfile
@@ -49,7 +49,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 
 # Forward request logs to Docker log collector
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
-	&& ln -sf /dev/stderr /var/log/nginx/error.log
+	&& ln -sf /dev/stderr /var/log/nginx/error.log \
+
+	&& groupadd -g 1001 nginx-agent \
+	&& usermod root -G nginx-agent \
+	&& usermod nginx -G nginx-agent
 
 EXPOSE 80
 STOPSIGNAL SIGTERM
diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md
@@ -8,7 +8,7 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In
 
 This repository has been tested with NGINX agent for:
 
-- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0
+- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0
 - API Connectivity Manager 1.4.0
 - NGINX App Protect WAF 4.100.1+
 
diff --git a/nginx-agent-docker/container/start.sh b/nginx-agent-docker/container/start.sh
@@ -13,9 +13,18 @@ if [[ ! -z "$NIM_TAGS" ]]; then
    PARM="${PARM} --tags $NIM_TAGS"
 fi
 
+
 if [[ "$NAP_WAF" == "true" ]]; then
    PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
-   /usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &
+   su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
+   su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &"
+
+   while ([ ! -e /opt/app_protect/pipe/app_protect_plugin_socket ] || [ ! -e /opt/app_protect/pipe/ts_agent_pipe ])
+   do
+     sleep 1
+   done
+
+   chown nginx:nginx /opt/app_protect/pipe/*
 fi
 
 if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then
@@ -26,4 +35,4 @@ if [[ "$ACM_DEVPORTAL" == "true" ]]; then
    nginx-devportal server &
 fi
 
-nginx-agent $PARM
+sg nginx-agent "/usr/bin/nginx-agent $PARM"
diff --git a/nginx-nms-docker/Dockerfile.automated b/nginx-nms-docker/Dockerfile.automated
@@ -32,7 +32,9 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	apt-get -y install nms-sm; fi \
 	# Optional WAF Policy Compiler
 	&& if [ ! -z "${ADD_PUM}" ] ; then \
-	apt-get -y install nms-nap-compiler-$ADD_PUM; fi
+	apt-get -y install nms-nap-compiler-$ADD_PUM; fi \
+	# Set permissions
+	&& chmod +x /etc/nms/scripts/*.sh
 
 # Optional Second Sight
 WORKDIR /deployment
diff --git a/nginx-nms-docker/Dockerfile.manual b/nginx-nms-docker/Dockerfile.manual
@@ -8,8 +8,8 @@ ARG PUM_IMAGE=nim-files/.placeholder
 
 # Initial setup
 RUN apt-get update && \
-        DEBIAN_FRONTEND=noninteractive apt-get install -y -q build-essential git nano curl jq wget gawk \
-                nginx lsb-release rsyslog systemd apt-transport-https ca-certificates netcat sudo && \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y -q build-essential git nano curl jq wget gawk \
+		nginx lsb-release rsyslog systemd apt-transport-https ca-certificates netcat && \
 	mkdir -p /deployment/setup
 
 # NGINX Instance Manager 2.4.0+
@@ -40,6 +40,9 @@ RUN if [ "$SM_IMAGE" != "nim-files/.placeholder" ] ; then \
 RUN if [ "$PUM_IMAGE" != "nim-files/.placeholder" ] ; then \
 	apt-get -y install /deployment/setup/pum.deb; fi
 
+# Set permissions
+RUN chmod +x /etc/nms/scripts/*.sh
+
 RUN rm -r /deployment/setup
 
 # Optional Second Sight
diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md
@@ -24,10 +24,10 @@ A bash script to quickly install NGINX Management Suite through the official Hel
 
 This repository has been tested with:
 
-- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0
-- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1
-- Security Monitoring 1.0.0, 1.1.0, 1.2.0
-- NGINX App Protect WAF compiler 3.1088.2, 4.2.0
+- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0
+- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1
+- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0
+- NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1
 
 ## Prerequisites
 
