Mod Security Build Updates

Dockerfile

@@ -57,8 +57,7 @@ RUN set -ex; \
         g++ \
         flex \
         bison \
-        yajl-dev; \
-    apk add --no-cache \
+        yajl-dev \
         doxygen \
         geoip \
         yajl \
@@ -71,7 +70,7 @@ RUN set -ex; \
     git submodule init;  \
     git submodule update; \
     ./build.sh; \
-    ./configure; \
+    ./configure --disable-doxygen-doc --disable-doxygen-html; \
     make -j$(getconf _NPROCESSORS_ONLN); \
     make install;  \
     mkdir -p /etc/nginx/modsec/; \
@@ -86,7 +85,6 @@ RUN set -ex; \
     mv "/tmp/owasp-modsecurity-crs-${OWASP_CRS_VER}" /usr/local/owasp-modsecurity-crs; \
     cp /usr/local/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/owasp-modsecurity-crs/crs-setup.conf; \
     sed -i "s#SecRule REQUEST_COOKIES|#SecRule REQUEST_URI|REQUEST_COOKIES|#" /usr/local/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf; \
-    echo -e "Include /etc/nginx/modsec/modsecurity.conf\r\n\r\nInclude /usr/local/owasp-modsecurity-crs/crs-setup.conf\r\nInclude /usr/local/owasp-modsecurity-crs/rules/*.conf" > /etc/nginx/modsec/main.conf; \
     # Get ngx pagespeed module.
     git clone -b "v${NGX_PAGESPEED_VER}-stable" \
           --recurse-submodules \
@@ -211,7 +209,7 @@ RUN set -ex; \
     apk del --purge .nginx-build-deps; \
     apk del --purge .libmodsecurity-deps; \
     rm -rf /tmp/*; \
-    rm -rf /var/cache/apk/*
+    rm -rf /var/cache/apk/* ;
 
 USER wodby
 

README.md

@@ -108,7 +108,7 @@ Supported tags and respective `Dockerfile` links:
 | `NGINX_VHOST_PRESET`                      | `html`                      |             |
 | `NGINX_WORKER_CONNECTIONS`                | `1024`                      |             |
 | `NGINX_WORKER_PROCESSES`                  | `auto`                      |             |
-| `NGINX_DISABLE_MODSECURITY`               |                             | To disable loading of Mod Security module |
+| `NGINX_MODSECURITY_ENABLE`               | 0                           | By default this is disabled,Set this to 1, to enable |
 
 Static files extension defined via the regex and can be overriden via the env var `NGINX_STATIC_EXT_REGEX`, default:
 ```
@@ -157,6 +157,19 @@ We are also using the nginx connector provided for the mod security module.
 Mod security version 3.0.3
 * [Mod Security](https://github.com/SpiderLabs/ModSecurity)
 
+
+Additional environment variables for ModSecurity fine tuning:
+
+| Variable                            | Default Value | Description |
+| ------------------------------------| ------------- | ----------- |
+| `NGINX_MODSEC_ANOMALY_IN_THRESHOLD` | `10`           | The anomaly detection for input. For fine tuning mod security performance  |
+| `NGINX_MODSEC_ANOMALY_OUT_THRESHOLD`| `7`           | The anomaly detection for output. |
+| `NGINX_MODSEC_PRE_CORE_RULES`       |               | Location of setup rules to be loaded before the core rules  |
+| `NGINX_MODSEC_POST_CORE_RULES`      |               | Location of setup rules to be loaded after the core rules   |
+| `NGINX_MODSEC_USE_OWASP_CRS`      | 0              | Use owasp mod sec core rule set , use 1 to enabl owasp crs  |
+
+
+
 ## Virtual hosts presets
 
 By default will be used `html` virtual host preset, you can change it via env var `$NGINX_VHOST_PRESET`. The list of available presets:

docker-entrypoint.sh

@@ -41,6 +41,8 @@ process_templates() {
     _gotpl "includes/defaults.conf.tmpl" "/etc/nginx/defaults.conf"
     _gotpl "includes/fastcgi.conf.tmpl" "/etc/nginx/fastcgi.conf"
 
+    _gotpl "includes/modsec.conf.tmpl" "/etc/nginx/modsec/main.conf"
+
     if [[ -n "${NGINX_VHOST_PRESET}" ]]; then
         _gotpl "presets/${NGINX_VHOST_PRESET}.conf.tmpl" "/etc/nginx/preset.conf"
 

templates/includes/modsec.conf.tmpl

@@ -0,0 +1,55 @@
+Include /etc/nginx/modsec/modsecurity.conf
+
+{{ if eq ( getenv "NGINX_MODSEC_USE_OWASP_CRS" "0") "1" }}
+Include /usr/local/owasp-modsecurity-crs/crs-setup.conf
+{{ end }}
+
+{{ if or (eq (getenv "NGINX_VHOST_PRESET") "drupal8") (eq (getenv "NGINX_VHOST_PRESET") "drupal7") (eq (getenv "NGINX_VHOST_PRESET") "drupal6") }}
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_drupal=1,\
+  setvar:tx.crs_exclusions_wordpress=0,\
+  setvar:tx.crs_exclusions_nextcloud=0,\
+  setvar:tx.crs_exclusions_dokuwiki=0,\
+  setvar:tx.crs_exclusions_cpanel=0"
+{{ end }}
+
+{{ if (eq (getenv "NGINX_VHOST_PRESET") "wordpress") }}
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_drupal=0,\
+  setvar:tx.crs_exclusions_wordpress=1,\
+  setvar:tx.crs_exclusions_nextcloud=0,\
+  setvar:tx.crs_exclusions_dokuwiki=0,\
+  setvar:tx.crs_exclusions_cpanel=0"
+{{ end }}
+
+SecAction \
+ "id:900110,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.inbound_anomaly_score_threshold={{ getenv "NGINX_MODSEC_ANOMALY_IN_THRESHOLD" "7" }},\
+  setvar:tx.outbound_anomaly_score_threshold={{ getenv "NGINX_MODSEC_ANOMALY_OUT_THRESHOLD" "7" }}"
+
+{{ if getenv "NGINX_MODSEC_PRE_CORE_RULES" }}
+Include {{ getenv "NGINX_MODSEC_PRE_CORE_RULES" }}
+{{ end }}
+
+{{ if eq ( getenv "NGINX_MODSEC_USE_OWASP_CRS" "0") "1" }}
+Include /usr/local/owasp-modsecurity-crs/rules/*.conf
+{{ end }}
+
+{{ if getenv "NGINX_MODSEC_POST_CORE_RULES" }}
+Include {{ getenv "NGINX_MODSEC_POST_CORE_RULES" }}
+{{ end }}
+

templates/nginx.conf.tmpl

@@ -2,7 +2,7 @@ user                            {{ getenv "NGINX_USER" "nginx" }};
 daemon                          off;
 worker_processes                {{ getenv "NGINX_WORKER_PROCESSES" "auto" }};
 error_log                       /proc/self/fd/2 {{ getenv "NGINX_ERROR_LOG_LEVEL" "error" }};
-{{ if not ( getenv "NGINX_DISABLE_MODSECURITY") }}
+{{ if eq ( getenv "NGINX_MODSECURITY_ENABLE" "0") "1" }}
 load_module                     modules/ngx_http_modsecurity_module.so;
 {{ end }}
 events {

templates/vhost.conf.tmpl

@@ -4,7 +4,7 @@ server {
     listen       80 default_server{{ if getenv "NGINX_HTTP2" }} http2{{ end }};
     server_name  {{ getenv "NGINX_SERVER_NAME" "default" }};
 
-	{{ if not ( getenv "NGINX_DISABLE_MODSECURITY") }}
+	{{ if eq ( getenv "NGINX_MODSECURITY_ENABLE" "0") "1" }}
 	modsecurity on;
     modsecurity_rules_file /etc/nginx/modsec/main.conf;
     {{ end }}

tests/basic/docker-compose.yml

@@ -6,3 +6,6 @@ services:
     volumes:
       - ./tests.sh:/usr/local/bin/tests.sh
       - ./nginx_modules:/home/wodby/nginx_modules
+    environment:
+      NGINX_MODSECURITY_ENABLE: "1"
+      NGINX_MODSEC_USE_OWASP_CRS: "1"

tests/basic/tests.sh

@@ -12,6 +12,18 @@ echo -n "Checking Nginx response... "
 curl -s localhost | grep -q "It works!"
 echo "OK"
 
+echo -n "Checking Modsecurity XSS... "
+curl -s "localhost?test=<script>alert(42)</script>" | grep -q "403 Forbidden"
+echo "OK"
+
+echo -n "Checking LFI .. "
+curl -s "localhost?template=../../etc/passwd" | grep -q "403 Forbidden"
+echo "OK"
+
+echo -n "Checking SQL Injection "
+curl -s "http://localhost/ar?id=' OR 1='1" | grep -q "403 Forbidden"
+echo "OK"
+
 rm /var/www/html/index.html
 
 echo -n "Checking Nginx version... "
@@ -21,7 +33,6 @@ echo "OK"
 2>&1 nginx -V | tr -- - '\n' | grep -E "_module|module=" | sed -E 's#=dynamic|_module|module=/tmp/##g' | sed 's/[ \t]*$//' | sort > /tmp/nginx_modules
 
 echo -n "Checking Nginx modules... "
-
 if ! cmp -s /tmp/nginx_modules /home/wodby/nginx_modules; then
     echo "Error. Nginx modules are not identical."
     diff /tmp/nginx_modules /home/wodby/nginx_modules