1+ FROM quay.io/deis/base:v0.3.6 as modsecurity
2+
3+ COPY /bin /bin
4+ WORKDIR /tmp/build
5+
6+ RUN set -x && \
7+ apt-get update && \
8+ apt-get install -y --no-install-recommends \
9+ g++ make \
10+ libcurl4-openssl-dev \
11+ libyajl-dev \
12+ liblmdb-dev \
13+ libxml2-dev \
14+ libpcre3-dev \
15+ libmaxminddb-dev \
16+ libfuzzy-dev && \
17+ export MOD_SECURITY_VERSION=3.0.3 BUILD_PATH=$PWD PREFIX=/usr/local && \
18+ get_src 8aa1300105d8cc23315a5e54421192bc617a66246ad004bd89e67c232208d0f4 \
19+ "https://github.com/SpiderLabs/ModSecurity/releases/download/v$MOD_SECURITY_VERSION/modsecurity-v$MOD_SECURITY_VERSION.tar.gz" && \
20+ cd "$BUILD_PATH/modsecurity-v$MOD_SECURITY_VERSION" && \
21+ ./configure \
22+ --prefix="$PREFIX" \
23+ --enable-silent-rules \
24+ --enable-static=no \
25+ --disable-doxygen-doc \
26+ --disable-examples \
27+ --disable-dependency-tracking && \
28+ make -j`nproc` && \
29+ make install-strip && \
30+ install -D -m 644 -t "$PREFIX/share/modsecurity" \
31+ unicode.mapping \
32+ modsecurity.conf-recommended
33+
34+
135FROM quay.io/deis/base:v0.3.6
236
337RUN adduser --system \
@@ -7,20 +41,33 @@ RUN adduser --system \
741 --group \
842 router
943
44+ COPY --from=modsecurity /usr/local /usr/local
45+
1046COPY /bin /bin
1147
12- RUN buildDeps='gcc make apt-utils libgeoip-dev libssl-dev libpcre3-dev' ; \
48+ RUN set -x && \
49+ buildDeps='gcc make apt-utils libgeoip-dev libmaxminddb-dev libssl-dev libpcre3-dev' \
50+ runtimeDeps='libcurl3 libxml2 libpcre3 libgeoip1 libmaxminddb0 libfuzzy2 openssl' && \
1351 apt-get update && \
1452 apt-get install -y --no-install-recommends \
1553 $buildDeps \
16- libgeoip1 && \
17- export NGINX_VERSION=1.14.2 SIGNING_KEY=A1C052F8 VTS_VERSION=0.1.18 BUILD_PATH=/tmp/build PREFIX=/opt/router && \
54+ $runtimeDeps && \
55+ export NGINX_VERSION=1.14.2 SIGNING_KEY=A1C052F8 \
56+ VTS_VERSION=0.1.18 GEOIP2_VERSION=3.2 \
57+ MOD_SECURITY_NGINX_VERSION=d7101e13685efd7e7c9f808871b202656a969f4b \
58+ OWASP_MOD_SECURITY_CRS_VERSION=46171c0ef335f92b26787ce269e397c480286155 \
59+ BUILD_PATH=/tmp/build PREFIX=/opt/router && \
1860 rm -rf "$PREFIX" && \
1961 mkdir "$PREFIX" && \
2062 mkdir "$BUILD_PATH" && \
2163 cd "$BUILD_PATH" && \
2264 get_src_gpg $SIGNING_KEY "http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" && \
23- get_src 17ea41d4083f6d1ab1ab83dad9160eeca66867abe16c5a0421f85a39d7c84b65 "https://github.com/vozlt/nginx-module-vts/archive/v$VTS_VERSION.tar.gz" && \
65+ get_src 17ea41d4083f6d1ab1ab83dad9160eeca66867abe16c5a0421f85a39d7c84b65 \
66+ "https://github.com/vozlt/nginx-module-vts/archive/v$VTS_VERSION.tar.gz" && \
67+ get_src 15bd1005228cf2c869a6f09e8c41a6aaa6846e4936c473106786ae8ac860fab7 \
68+ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" && \
69+ get_src 5c8d25e68fb852f61489b669aebb7bd8ca8c88ebb5e5f969212fcceff3ee2d0b \
70+ "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MOD_SECURITY_NGINX_VERSION.tar.gz" && \
2471 cd "$BUILD_PATH/nginx-$NGINX_VERSION" && \
2572 ./configure \
2673 --prefix="$PREFIX" \
@@ -36,48 +83,43 @@ RUN buildDeps='gcc make apt-utils libgeoip-dev libssl-dev libpcre3-dev'; \
3683 --with-http_dav_module \
3784 --with-http_geoip_module \
3885 --with-http_gzip_static_module \
86+ --with-http_gunzip_module \
3987 --with-http_sub_module \
4088 --with-http_v2_module \
4189 --with-mail \
4290 --with-mail_ssl_module \
4391 --with-stream \
44- --add-module="$BUILD_PATH/nginx-module-vts-$VTS_VERSION" && \
45- make && \
92+ --add-module="$BUILD_PATH/nginx-module-vts-$VTS_VERSION" \
93+ --add-dynamic-module="$BUILD_PATH/ngx_http_geoip2_module-$GEOIP2_VERSION" \
94+ --add-dynamic-module="$BUILD_PATH/ModSecurity-nginx-$MOD_SECURITY_NGINX_VERSION" && \
95+ make -j`nproc` && \
4696 make install && \
47- rm -rf "$BUILD_PATH" && \
48- # include tcell dynamic nginx module
49- mkdir "$PREFIX/modules" && \
50- cd "$PREFIX/modules" && \
51- get_src 8f30a4d5f4a65e1a94c367b98cfec33e727453a7e7ffc7e85094a0e7a561f72d "https://s3.amazonaws.com/hephy-artifacts/hephy-router/nginx_tcellagent-1.1.0-agentonly-zuora-linux-x86_64.tar.gz" && \
52- mv "$PREFIX/modules/nginx_tcellagent-1.1.0-agentonly-zuora-linux-x86_64/ubuntu/xenial/nginx-1.13.7-custom_flags_ssl_1.0.2g/ngx_http_tcell_agent_module.so" . && \
53- rm -rf "$PREFIX/modules/nginx_tcellagent-1.1.0-agentonly-zuora-linux-x86_64" && \
54- # include libmodsecurity3 and modsecurity connector dynamic module
55- modsecurityDeps='apt-utils git libcurl4-openssl-dev libyajl-dev libxml2 libxml2-dev' && \
56- apt-get install -y --no-install-recommends \
57- $modsecurityDeps && \
58- cd "$PREFIX/modules" && \
59- get_src 136e0faf4b313817abd07365935ebd9174e8754700fe8a06281dbcbbe6d0ad50 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity-v3.0.3-ubuntu-16-04.tar.gz" && \
60- mv usr/local/modsecurity /usr/local/modsecurity && \
61- rm -rf usr && \
62- get_src_file c9fd4ddb69ba1ce0a3118e529c43f87c3ab216e20900e25863e58537399d2d19 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/ngx_http_modsecurity_module.so" && \
97+ strip -s "$PREFIX/sbin/nginx" "$PREFIX/modules/" *.so && \
98+ cd "$BUILD_PATH" && \
6399 # setup the modsecurity config and OWASP rules
64- cd "$PREFIX/conf" && \
65- get_src_file 5614fd0f68fc7707c0dc008d45b92de586b6e14937a41b93e80165aec454eecd "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity.conf" && \
66- curl -sSL https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping -o unicode.mapping && \
67- git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git && \
68- cp -R owasp-modsecurity-crs/rules/ $PREFIX/conf/ && \
69- cp $PREFIX/conf/owasp-modsecurity-crs/crs-setup.conf.example $PREFIX/conf/crs-setup.conf && \
70- rm -rf owasp-modsecurity-crs && \
100+ get_src c0e5d496db41b9b5e201fd8138e2507d22b22cf945b7b06bf3c9fad31b0bba95 \
101+ "https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/$OWASP_MOD_SECURITY_CRS_VERSION.tar.gz" && \
102+ cp -R owasp-modsecurity-crs-$OWASP_MOD_SECURITY_CRS_VERSION/rules $PREFIX/conf/ && \
103+ cp owasp-modsecurity-crs-$OWASP_MOD_SECURITY_CRS_VERSION/crs-setup.conf.example $PREFIX/conf/crs-setup.conf && \
104+ cp /usr/local/share/modsecurity/unicode.mapping "$PREFIX/conf/" && \
105+ sed -e 's/^SecRuleEngine DetectionOnly/SecRuleEngine On/' \
106+ -e '$ a # Load OWASP Core Rule Set' \
107+ -e '$ a Include crs-setup.conf' \
108+ -e '$ a Include rules/*.conf' \
109+ /usr/local/share/modsecurity/modsecurity.conf-recommended > "$PREFIX/conf/modsecurity.conf" && \
110+ cd / && \
111+ rm -rf "$BUILD_PATH" && \
112+ rm -rf /usr/local/include/* && \
71113 # cleanup
72114 apt-get purge -y --auto-remove $buildDeps && \
73115 apt-get autoremove -y && \
74116 apt-get clean -y && \
75117 # package up license files if any by appending to existing tar
76- COPYRIGHT_TAR='/usr/share/copyrights.tar' ; \
77- gunzip -f $COPYRIGHT_TAR.gz; tar -rf $COPYRIGHT_TAR /usr/share/doc/*/copyright; gzip $COPYRIGHT_TAR && \
118+ COPYRIGHT_TAR='/usr/share/copyrights.tar' && \
119+ gunzip -f $COPYRIGHT_TAR.gz && tar -rf $COPYRIGHT_TAR /usr/share/doc/*/copyright && gzip $COPYRIGHT_TAR && \
78120 rm -rf \
79121 /usr/share/doc \
80- /usr/share/man \
122+ /usr/share/man/man?/* \
81123 /usr/share/info \
82124 /usr/share/locale \
83125 /var/lib/apt/lists/* \
@@ -87,8 +129,7 @@ RUN buildDeps='gcc make apt-utils libgeoip-dev libssl-dev libpcre3-dev'; \
87129 /lib/lsb \
88130 /lib/udev \
89131 /usr/lib/x86_64-linux-gnu/gconv/IBM* \
90- /usr/lib/x86_64-linux-gnu/gconv/EBC* && \
91- bash -c "mkdir -p /usr/share/man/man{1..8}"
132+ /usr/lib/x86_64-linux-gnu/gconv/EBC*
92133
93134COPY . /
94135
0 commit comments