Merge branch 'main' into renovate/all-minor-patch

coreruleset · Feb 25, 2025 · e116aa8 · e116aa8
2 parents 55ec1ff + 8b115ce
commit e116aa8
Show file tree

Hide file tree

Showing 8 changed files with 166 additions and 71 deletions.
diff --git a/README.md b/README.md
@@ -19,10 +19,11 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 Stable Tags are composed of:
    * CRS version, in the format `<major>[.<minor>[.<patch]]`
    * web server variant
-   * OS variant (optional)
+   * OS variant (optional, nginx only)
+   * writable (optional)
    * date, in the format `YYYYMMDDHHMM`
 
-The stable tag format is `<CRS version>-<web server>[-<os>]-<date>`.
+The stable tag format is `<CRS version>-<web server>[-<os>][-<writable>]-<date>`.
 Examples:
    * `4-nginx-202401121309`
    * `4.0-apache-alpine-202401121309`
@@ -34,21 +35,33 @@ Rolling tags are updated whenever a new stable tag release occurs. Rolling tags
 Rolling Tags are composed of:
    * web server variant
    * OS variant (optional)
+   * writable (optional, nginx only)
 
-The stable tag format is `<web server>[-<os>]`.
+The stable tag format is `<web server>[-<os>][-<writable>]`.
 Examples:
    * `nginx`
    * `apache-alpine`
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.27.4 official stable base image, and latest stable OWASP CRS 4.11.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.26.3 official stable base image, and latest stable OWASP CRS 4.11.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
 * Apache httpd – *last stable ModSecurity v2 on Apache 2.4.63 official stable base image, and latest stable OWASP CRS 4.11.0*
    * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)
    * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)
 
+## Read-only Root Filesystem
+
+> [!IMPORTANT]
+> Read-only filesystem variants are currently only available for images based on nginx.
+
+By default, the root filesystem of our containers are writable. We also provide images that are set up to run on a read-only filesystem for enhanced security.
+
+Examples:
+   * `nginx-read-only`
+   * `nginx-alpine-read-only`
+
 ### Notes regarding Openresty version of this image
 
 * The version was removed as no maintainer was found.
@@ -66,13 +79,6 @@ We currently provide images for the following architectures:
 
 ### Building
 
-We require a version of `buildx` >= v0.9.1. [Visit the official documentation](https://docs.docker.com/build/architecture/#install-buildx) for instructions on installing and upgrading `buildx`. You can check which version you have using:
-
-```bash
-docker buildx version
-github.com/docker/buildx v0.9.1 ed00243a0ce2a0aee75311b06e32d33b44729689
-```
-
 If you want to see the targets of the build, use:
 
 ```bash

diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION} AS build
+FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -36,7 +36,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION} AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -56,7 +56,7 @@ RUN set -eux; \
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM httpd:${HTTPD_VERSION}
+FROM image
 
 ARG MODSEC2_VERSION
 ARG LUA_VERSION

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION}-alpine AS build
+FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -46,7 +46,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION}-alpine AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -66,7 +66,7 @@ RUN set -eux; \
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM httpd:${HTTPD_VERSION}-alpine
+FROM image
 
 ARG MODSEC2_VERSION
 ARG LUA_VERSION

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -16,7 +16,7 @@ variable "crs-version" {
 
 variable "nginx-version" {
     # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
-    default = "1.27.4"
+    default = "1.26.3"
 }
 
 variable "httpd-version" {
@@ -96,16 +96,11 @@ function "vtag" {
 group "default" {
     targets = [
         "apache",
-        "apache-alpine",
-        "nginx",
-        "nginx-alpine",
+        "nginx"
     ]
 }
 
-target "docker-metadata-action" {}
-
 target "platforms-base" {
-    inherits = ["docker-metadata-action"]
     context="."
     platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"]
     labels = {
@@ -121,51 +116,82 @@ target "platforms-base" {
 }
 
 target "apache" {
-    inherits = ["platforms-base"]
-    dockerfile="apache/Dockerfile"
-    args = {
-        HTTPD_VERSION = "${httpd-version}"
-        LUA_MODULES = join(" ", lua-modules-debian)
+    matrix = {
+        base = [
+            {
+                name = "debian"
+                dockerfile="apache/Dockerfile"
+                image = "docker-image://httpd:${httpd-version}"
+                lua_modules = join(" ", lua-modules-debian)
+                tag_base = "apache"
+            },
+            {
+                name = "alpine"
+                dockerfile = "apache/Dockerfile-alpine"
+                image = "docker-image://httpd:${httpd-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "apache-alpine"
+            }
+        ]
     }
-    tags = concat(tag("apache"),
-        vtag("${crs-version}", "apache")
-    )
-}
 
-target "apache-alpine" {
     inherits = ["platforms-base"]
-    dockerfile="apache/Dockerfile-alpine"
+    name = "apache-${base.name}"
+    contexts = {
+        image = base.image
+    }
+    dockerfile = base.dockerfile
     args = {
-        HTTPD_VERSION = "${httpd-version}"
-        LUA_MODULES = join(" ", lua-modules-alpine)
+        LUA_MODULES = base.lua_modules
     }
-    tags = concat(tag("apache-alpine"),
-        vtag("${crs-version}", "apache-alpine")
+    tags = concat(tag(base.tag_base),
+        vtag("${crs-version}", base.tag_base)
     )
 }
 
 target "nginx" {
-    inherits = ["platforms-base"]
-    dockerfile="nginx/Dockerfile"
-    args = {
-        LUA_MODULES = join(" ", lua-modules-debian)
-        NGINX_VERSION = "${nginx-version}"
-        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
+    matrix = {
+        base = [
+            {
+                name = "debian"
+                dockerfile = "nginx/Dockerfile"
+                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}"
+                lua_modules = join(" ", lua-modules-debian)
+                tag_base = "nginx"
+            },
+            {
+                name = "alpine"
+                dockerfile = "nginx/Dockerfile-alpine"
+                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "nginx-alpine"
+            }
+        ],
+        read-only-fs = [
+            {
+                name = "writable"
+                read-only = "false"
+            },
+            {
+                name = "read-only"
+                read-only = "true"
+            }
+        ]
     }
-    tags = concat(tag("nginx"),
-        vtag("${crs-version}", "nginx")
-    )
-}
-
-target "nginx-alpine" {
     inherits = ["platforms-base"]
-    dockerfile="nginx/Dockerfile-alpine"
+    name = "nginx-${base.name}-${read-only-fs.name}"
+    contexts = {
+        image = base.image
+    }
+    dockerfile = base.dockerfile
     args = {
-        LUA_MODULES = join(" ", lua-modules-alpine)
-        NGINX_VERSION = "${nginx-version}"
+        NGINX_VERSION = nginx-version
+        LUA_MODULES = base.lua_modules
         NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
+        NGINX_HOME = "/etc/nginx"
+        READ_ONLY_FS = read-only-fs.read-only
     }
-    tags = concat(tag("nginx-alpine"),
-        vtag("${crs-version}", "nginx-alpine")
+    tags = concat(tag("${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}"),
+        vtag("${crs-version}", "${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}")
     )
 }
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,11 +1,12 @@
-ARG NGINX_VERSION="n/a"
-
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build
+FROM image AS build
 
+ARG NGINX_VERSION="n/a"
 ARG MODSEC3_VERSION="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
+ARG NGINX_HOME="n/a"
+ARG READ_ONLY_FS="false"
 
 USER root
 
@@ -86,7 +87,7 @@ RUN set -eux; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe2048.txt -o /usr/share/TLS/dhparam-2048.pem; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe4096.txt -o /usr/share/TLS/dhparam-4096.pem
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -114,15 +115,19 @@ RUN curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CR
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}
+FROM image
 
 ARG MODSEC3_VERSION
 ARG LMDB_VERSION
 ARG LUA_VERSION
 ARG LUA_MODULES
+ARG NGINX_HOME
+ARG READ_ONLY_FS
 
 LABEL maintainer="Felipe Zipitria <felipe.zipitria@owasp.org>"
 
+ENV NGINX_HOME="${NGINX_HOME}"
+
 ENV \
     ACCESSLOG=/var/log/nginx/access.log \
     BACKEND=http://localhost:80 \
@@ -250,8 +255,25 @@ RUN set -eux; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3.0; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so; \
-    ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
-    chown nginx:nginx /opt/owasp-crs /etc/modsecurity.d
+    ln -sv /opt/owasp-crs /etc/modsecurity.d/
+
+RUN set -eux; \
+    if [ "${READ_ONLY_FS}" = "true" ]; then \
+        # move files that need to be writable so we can use tmpfs for them later
+        mkdir -p /usr/local/bootstrap/nginx /usr/local/bootstrap/modsecurity.d /usr/local/bootstrap/owasp-crs; \
+        mv "${NGINX_HOME}/"* /usr/local/bootstrap/nginx/; \
+        mv /etc/modsecurity.d/* /usr/local/bootstrap/modsecurity.d/; \
+        mv /opt/owasp-crs/* /usr/local/bootstrap/owasp-crs/; \
+        chown nginx:nginx \
+            "${NGINX_HOME}" \
+            /usr/local/bootstrap/*; \
+    else \
+        # only run this script in read-only configuration
+        rm /docker-entrypoint.d/0-move-writables.sh; \
+    fi; \
+    chown nginx:nginx \
+        /opt/owasp-crs \
+        /etc/modsecurity.d
 
 USER nginx