Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: improve rule configuration #314

Merged
merged 3 commits into from
Dec 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .github/workflows/configure-rules-for-test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

# The purpose of this script is to test that `configure-rules.sh` will run
# successfully for all variables that we configure.

set -e

conf_file="${1}"
env_file="${2}"

if [ -f "${env_file}" ]; then
rm "${env_file}"
fi

while read -r line; do
if [ -z "${line}" ] || echo "${line}" | grep -Eq "^#"; then
continue
fi

var_name="$(cut -d'|' -f2 <<< "${line}")"
test_value="$(cut -d'|' -f5 <<< "${line}")"
echo "Setting ${var_name}=${test_value}"
echo "${var_name}=${test_value}" >> "${env_file}"
done < "${conf_file}"
10 changes: 9 additions & 1 deletion .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,16 @@ jobs:

- name: Run ${{ matrix.target }}
run: |
. .github/workflows/configure-rules-for-test.sh \
src/opt/modsecurity/configure-rules.conf \
"$(pwd)/${{ matrix.target }}.env"
echo "Starting container ${{ matrix.target }}"
docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
docker run \
--pull "never" \
-d \
--name ${{ matrix.target }}-test \
--env-file "${{ matrix.target }}.env" \
"${REPO}:${{ matrix.target }}"
sleep 30
docker logs ${{ matrix.target }}-test

Expand Down
3 changes: 2 additions & 1 deletion apache/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/docker-entrypoint.sh /

RUN set -eux; \
Expand All @@ -167,6 +167,7 @@ RUN set -eux; \
apt-get install -qq -y --no-install-recommends --no-install-suggests \
ca-certificates \
curl \
ed \
gnupg \
iproute2 \
libcurl3-gnutls \
Expand Down
3 changes: 2 additions & 1 deletion apache/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapp
COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY apache/docker-entrypoint.sh /

Expand All @@ -176,6 +176,7 @@ RUN set -eux; \
apk add --no-cache \
ca-certificates \
curl \
ed \
gnupg \
iproute2 \
libfuzzy2 \
Expand Down
4 changes: 2 additions & 2 deletions apache/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
/usr/local/bin/generate-certificate /usr/local/apache2
/usr/local/bin/check-low-port

. /opt/modsecurity/activate-plugins.sh
. /opt/modsecurity/activate-rules.sh
/opt/modsecurity/activate-plugins.sh
/opt/modsecurity/configure-rules.sh

exec "$@"
8 changes: 0 additions & 8 deletions docker-bake.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,6 @@ variable "lua-modules-debian" {
]
}

variable "lua-modules-luarocks" {
default = [
"lua-resty-openidc",
"lua-zlib",
"luasocket"
]
}

variable "REPOS" {
# List of repositories to tag
default = [
Expand Down
5 changes: 3 additions & 2 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,6 @@ ENV \
SSL_VERIFY=off \
WORKER_CONNECTIONS=1024 \
# CRS specific variables
PARANOIA=1 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
BLOCKING_PARANOIA=1
Expand All @@ -208,7 +207,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -221,6 +221,7 @@ RUN set -eux; \
LD_LIBRARY_PATH="" apt-get install -y -qq --no-install-recommends --no-install-suggests \
ca-certificates \
curl \
ed \
libcurl4-gnutls-dev \
libfuzzy2 \
liblua${LUA_VERSION} \
Expand Down
4 changes: 3 additions & 1 deletion nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -211,6 +212,7 @@ RUN set -eux; \
apk add --no-cache \
curl \
curl-dev \
ed \
libfuzzy2 \
libmaxminddb-dev \
libstdc++ \
Expand Down
12 changes: 0 additions & 12 deletions renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -96,18 +96,6 @@
],
"depNameTemplate": "coreruleset/coreruleset",
"datasourceTemplate": "github-releases"
},
{
"description": "Docs: OpenResty",
"customType": "regex",
"fileMatch": [
"^README\\.md$"
],
"matchStrings": [
"OpenResty (?<currentValue>\\d+\\.\\d+\\.\\d+(\\.\\d+)?)"
],
"depNameTemplate": "openresty/openresty",
"datasourceTemplate": "docker"
}
]
}
3 changes: 3 additions & 0 deletions src/opt/modsecurity/activate-plugins.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#!/bin/sh -e

printf "# # #\nRunning CRS plugin activation\n- - -\n\n"

# Check if crs-setup.conf is overriden
if [ -n "${MANUAL_MODE}" ]; then
echo "Using manual config mode"
Expand All @@ -25,3 +27,4 @@ for suffix in "config" "before" "after"; do
fi
done

printf -- "- - -\nFinished CRS plugin activation\n# # #\n\n"
148 changes: 0 additions & 148 deletions src/opt/modsecurity/activate-rules.sh

This file was deleted.

29 changes: 29 additions & 0 deletions src/opt/modsecurity/configure-rules.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>|<test value>
# The octothorpe (#) designates a comment, comments are ignored
# See `.github/workflows/configure-rules-for-test.sh` for how the test value is used.

# Superceded by BLOCKING_PARANOIA
true|PARANOIA|900000|blocking_paranoia_level|4
true|PARANOIA|900001|detection_paranoia_level|4
false|BLOCKING_PARANOIA|900000|blocking_paranoia_level|4
# Superceded by DETECTION_PARANOIA
true|EXECUTING_PARANOIA|900001|executing_paranoia_level|4
false|DETECTION_PARANOIA|900001|detection_paranoia_level|4
false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded|0
false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold|6
false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold|6
false|ALLOWED_METHODS|900200|allowed_methods|GET OPTIONS
false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type|application/json
false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset|utf-8
false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions|1.1
false|RESTRICTED_EXTENSIONS|900240|restricted_extensions|.exe/
false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
false|MAX_NUM_ARGS|900300|max_num_args|100
false|ARG_NAME_LENGTH|900310|arg_name_length|200
false|ARG_LENGTH|900230|arg_length|300
false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
false|MAX_FILE_SIZE|900340|max_file_size|500
false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600
false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding|0
false|REPORTING_LEVEL|900115|reporting_level|5
Loading
Loading