-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDockerfile
More file actions
73 lines (66 loc) · 3 KB
/
Dockerfile
File metadata and controls
73 lines (66 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
FROM ghcr.io/coreruleset/modsecurity-crs:4.22.0-apache-202601060501
ENV ACCESSLOG=/dev/stdout \
ERRORLOG='"|/usr/bin/stdbuf -i0 -oL /opt/transform-alert-message.awk"' \
PERFLOG=/dev/stdout \
LOGLEVEL=notice \
TIMEOUT=5 \
WORKER_CONNECTIONS=250 \
MODSEC_AUDIT_LOG_PARTS=ABEFHIJZ \
ANOMALY_INBOUND=1000 \
ANOMALY_OUTBOUND=1000 \
ALLOWED_METHODS='GET HEAD POST OPTIONS DELETE PUT PROPFIND' \
ALLOWED_CONTENT='|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/x-amf| |application/json|' \
ARG_NAME_LENGTH=256 \
COMBINED_FILE_SIZES=100000000 \
MAX_FILE_SIZE=100000000 \
MAX_NUM_ARGS=300 \
TOTAL_ARG_LENGTH=100000 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000 \
MODSEC_REQ_BODY_LIMIT=100000000 \
MODSEC_REQ_BODY_NOFILES_LIMIT=5242880 \
MODSEC_RESP_BODY_LIMIT=500000000 \
CLAMD_DEBUG_LOG=off \
# Use the default docker subnet as the default \
HEALTHZ_CIDRS=172.18.0.0/24
USER root
RUN set -x && \
# Install additional required tools \
apt-get update && \
apt-get install -y --no-install-recommends \
clamdscan \
coreutils \
gawk && \
rm -rf /var/lib/apt/lists/* && \
apt-get clean && \
# Restore AWK symlink - our transform-alert-message script assumes GNU awk,\
# while the default awk implementation of the base image is mawk. \
ln -sfv /etc/alternatives/awk /usr/bin/awk && \
# We terminate TLS on the proxy; so remove all SSL config from the vhosts \
sed -i '/<VirtualHost \*:${SSL_PORT}>/,/<\/VirtualHost>/d' /usr/local/apache2/conf/extra/httpd-vhosts.conf && \
sed -i '/Include .*httpd-ssl.conf/d' /usr/local/apache2/conf/httpd.conf && \
sed -i '/^\/usr\/local\/bin\/generate-certificate/d' /docker-entrypoint.sh && \
#Make sure the ProxyPass setting for error-pages is included prior to the ones in vhost settings \
sed -i '/httpd-modsecurity.conf/d' /usr/local/apache2/conf/httpd.conf && \
sed -i '/# Virtual hosts/i\Include conf/extra/httpd-modsecurity.conf' /usr/local/apache2/conf/httpd.conf && \
# Disable CRS plugin system \
sed -i '/activate-plugins/d' /docker-entrypoint.sh && \
# Disable customized logging configuration - we'll configure this in \
# ./conf/vshn-logging.conf \
sed -i '/CustomLog /d' /usr/local/apache2/conf/httpd.conf
# Fix Permissions
# On OpenShift, the container will be started with a random UID and GID 0, so
# we have to make some directories group-writeable.
RUN chgrp -R 0 /opt/owasp-crs && \
chmod -R g+rwX /opt/owasp-crs
RUN chgrp -R 0 /usr/local/apache2/logs && \
chmod -R g+rwX /usr/local/apache2/logs
# Customized configuration files
COPY opt/* /opt/
COPY clamd-config/* /etc/clamav/
COPY apache-config/* /usr/local/apache2/conf/extra/
COPY modsecurity.d/setup.conf /etc/modsecurity.d/setup.conf
# Custom ModSecurity rules
COPY ./custom-rules/before-crs.dist /opt/modsecurity/rules/before-crs.dist
COPY ./custom-rules/after-crs.dist /opt/modsecurity/rules/after-crs.dist
USER 56947:0