Merge pull request coreruleset#218 from fzipi/build-apache-pcre2

feat(apache): switch to pcre2

Author: fzipi

.github/workflows/configure-rules-for-test.sh

@@ -22,7 +22,7 @@ while read -r line; do
   test_value="$(cut -d'|' -f5 <<< "${line}")"
 
   if ! grep -q "${var_name}" "${readme_file}"; then
-    echo "Failed to find environment variable `${var_name}` in README."
+    echo "Failed to find environment variable '${var_name}' in README."
     exit 1
   fi
 

.github/workflows/verifyimage.yml

@@ -128,12 +128,15 @@ jobs:
             's#image: owasp/modsecurity-crs:${{ contains(matrix.target, 'apache') && 'apache' || 'nginx' }}.*#image: ${{ matrix.target }}-verification#' \
             crs/tests/docker-compose.yml
       - name: Run CRS tests for ${{ matrix.target }}
+        # Log flushing isn't reliable enough for go-ftw (https://github.com/coreruleset/go-ftw/issues/473)
+        if: ${{!contains(matrix.target, 'nginx-alpine')}}
         run: |
           cd crs
           modsec_version="${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}"
           backend="${{ contains(matrix.target, 'apache') && 'httpd' || 'nginx' }}"
           mkdir -p "tests/logs/${modsec_version}/{nginx,apache2}"
           docker compose -f ./tests/docker-compose.yml up -d "${modsec_version}"
+          sleep 10
           docker compose -f ./tests/docker-compose.yml logs
           if ! [ "$(docker inspect ${modsec_version} --format='{{.State.Running}}')" = "true" ]; then
             echo "Web server failed to start. Aborting."
@@ -146,3 +149,12 @@ jobs:
             --log-file "tests/logs/${modsec_version}/error.log" \
             --overrides "tests/regression/${backend}-overrides.yaml" \
             --show-failures-only
+
+      - name: Upload logs
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: ${{ matrix.target }}-error.log
+          path: "crs/tests/logs/${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}/error.log"
+          retention-days: 7
+          overwrite: true

apache/Dockerfile

@@ -3,6 +3,7 @@ ARG HTTPD_VERSION="n/a"
 FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
+ARG MODSEC2_FLAGS="n/a"
 ARG LUA_VERSION="n/a"
 
 RUN set -eux; \
@@ -17,7 +18,7 @@ RUN set -eux; \
         libaprutil1-dev \
         libcurl4-gnutls-dev \
         libfuzzy-dev \
-        libpcre3-dev \
+        libpcre2-dev \
         libtool \
         libxml2-dev \
         libyajl-dev \
@@ -31,7 +32,7 @@ RUN set -eux; \
     tar -zxvf v${MODSEC2_VERSION}.tar.gz; \
     cd ModSecurity-${MODSEC2_VERSION}; \
     ./autogen.sh; \
-    ./configure --with-yajl --with-ssdeep; \
+    ./configure ${MODSEC2_FLAGS}; \
     make; \
     make install; \
     make clean
@@ -173,6 +174,7 @@ RUN set -eux; \
         libfuzzy2 \
         liblua${LUA_VERSION} \
         ${LUA_MODULES} \
+        libpcre2-8-0 \
         libxml2 \
         libyajl2; \
     update-ca-certificates -f; \

apache/Dockerfile-alpine

@@ -3,6 +3,7 @@ ARG HTTPD_VERSION="n/a"
 FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
+ARG MODSEC2_FLAGS="n/a"
 ARG LUA_VERSION="n/a"
 
 # see https://httpd.apache.org/docs/2.4/install.html#requirements
@@ -33,15 +34,15 @@ RUN set -eux; \
     make \
     openssl \
     openssl-dev \
-    pcre-dev \
+    pcre2-dev \
     zlib-dev
 
 RUN set -eux; \
     wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \
     tar -zxvf v${MODSEC2_VERSION}.tar.gz; \
     cd ModSecurity-${MODSEC2_VERSION}; \
     ./autogen.sh; \
-    ./configure --with-yajl --with-ssdeep --with-lmdb; \
+    ./configure ${MODSEC2_FLAGS}; \
     make; \
     make install; \
     make clean
@@ -184,6 +185,7 @@ RUN set -eux; \
         ${LUA_MODULES} \
         moreutils \
         openssl \
+        pcre2 \
         sed \
         tzdata \
         yajl; \

docker-bake.hcl

@@ -4,11 +4,19 @@ variable "modsec3-version" {
     default = "3.0.14"
 }
 
+variable "modsec3-flags" {
+    default = "--with-yajl --with-ssdeep --with-lmdb --with-pcre2 --with-maxmind --enable-silent-rules"
+}
+
 variable "modsec2-version" {
     # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
     default = "2.9.8"
 }
 
+variable "modsec2-flags" {
+    default = "--with-yajl --with-ssdeep --with-pcre2"
+}
+
 variable "crs-version" {
     # renovate: depName=coreruleset/coreruleset datasource=github-releases
     default = "4.12.0"
@@ -109,7 +117,9 @@ target "platforms-base" {
     args = {
         CRS_RELEASE = "${crs-version}"
         MODSEC2_VERSION = "${modsec2-version}"
+        MODSEC2_FLAGS = modsec2-flags
         MODSEC3_VERSION = "${modsec3-version}"
+        MODSEC3_FLAGS = modsec3-flags
         LUA_VERSION = "${lua-version}"
         LMDB_VERSION = "${lmdb-version}"
     }
@@ -125,13 +135,13 @@ target "apache" {
                 lua_modules = join(" ", lua-modules-debian)
                 tag_base = "apache"
             },
-            # {
-            #     name = "alpine"
-            #     dockerfile = "apache/Dockerfile-alpine"
-            #     image = "docker-image://httpd:${httpd-version}-alpine"
-            #     lua_modules = join(" ", lua-modules-alpine)
-            #     tag_base = "apache-alpine"
-            # }
+            {
+                name = "alpine"
+                dockerfile = "apache/Dockerfile-alpine"
+                image = "docker-image://httpd:${httpd-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "apache-alpine"
+            }
         ]
     }
 
@@ -159,13 +169,13 @@ target "nginx" {
                 lua_modules = join(" ", lua-modules-debian)
                 tag_base = "nginx"
             },
-            # {
-            #     name = "alpine"
-            #     dockerfile = "nginx/Dockerfile-alpine"
-            #     image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
-            #     lua_modules = join(" ", lua-modules-alpine)
-            #     tag_base = "nginx-alpine"
-            # }
+            {
+                name = "alpine"
+                dockerfile = "nginx/Dockerfile-alpine"
+                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "nginx-alpine"
+            }
         ],
         read-only-fs = [
             {

nginx/Dockerfile

@@ -2,6 +2,7 @@ FROM image AS build
 
 ARG NGINX_VERSION="n/a"
 ARG MODSEC3_VERSION="n/a"
+ARG MODSEC3_FLAGS="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
@@ -10,8 +11,6 @@ ARG READ_ONLY_FS="false"
 
 USER root
 
-# Note: libpcre3-dev (PCRE 1) is required by the build description,
-# even though the build will use PCRE2.
 RUN set -eux; \
     echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
     apt-get update -qq; \
@@ -24,7 +23,6 @@ RUN set -eux; \
         libcurl4-gnutls-dev \
         libfuzzy-dev \
         liblua${LUA_VERSION}-dev \
-        libpcre3-dev \
         libpcre2-dev \
         libtool \
         libxml2-dev \
@@ -53,7 +51,7 @@ RUN set -eux; \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \
     ./build.sh; \
-    ./configure --with-yajl --with-ssdeep --with-pcre2 --with-maxmind --enable-silent-rules; \
+    ./configure ${MODSEC3_FLAGS}; \
     make -j$(nproc) install; \
     strip /usr/local/modsecurity/lib/lib*.so*
 
@@ -243,6 +241,7 @@ RUN set -eux; \
         libfuzzy2 \
         liblua${LUA_VERSION} \
         ${LUA_MODULES} \
+        libpcre2-8-0 \
         libxml2 \
         libyajl2 \
         libmaxminddb-dev \

nginx/Dockerfile-alpine

@@ -2,6 +2,7 @@ FROM image AS build
 
 ARG NGINX_VERSION="n/a"
 ARG MODSEC3_VERSION="n/a"
+ARG MODSEC3_FLAGS="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
 ARG NGINX_HOME="n/a"
@@ -35,7 +36,6 @@ RUN set -eux; \
         openssl-dev \
         patch \
         pkgconfig \
-        pcre-dev \
         pcre2-dev \
         yajl-dev \
         zlib-dev
@@ -49,7 +49,7 @@ RUN set -eux; \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \
     ./build.sh; \
-    ./configure --with-yajl --with-ssdeep --with-lmdb --with-pcre2 --with-maxmind --enable-silent-rules; \
+    ./configure ${MODSEC3_FLAGS}; \
     make -j$(nproc) install; \
     strip /usr/local/modsecurity/lib/lib*.so*
 
@@ -240,7 +240,6 @@ RUN set -eux; \
         moreutils \
         openssl \
         tzdata \
-        pcre \
         pcre2 \
         # Alpine needs GNU 'sed' because the 'sed' program shipped with busybox does not support 'z' parameter for separating lines with a 'NUL' character.
         sed \