-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathDockerfile
66 lines (58 loc) · 2.43 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
FROM ghcr.io/coreruleset/modsecurity-crs:4.7.0-apache-alpine-202410090410
ENV ACCESSLOG=/dev/stdout \
ERRORLOG='"|/usr/bin/stdbuf -i0 -oL /opt/transform-alert-message.awk"' \
PERFLOG=/dev/stdout \
LOGLEVEL=notice \
TIMEOUT=5 \
WORKER_CONNECTIONS=250 \
MODSEC_AUDIT_LOG_PARTS=ABEFHIJZ \
ANOMALY_INBOUND=1000 \
ANOMALY_OUTBOUND=1000 \
ALLOWED_METHODS='GET HEAD POST OPTIONS DELETE PUT PROPFIND' \
ALLOWED_CONTENT='|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/x-amf| |application/json|' \
ARG_NAME_LENGTH=256 \
COMBINED_FILE_SIZES=100000000 \
MAX_FILE_SIZE=100000000 \
MAX_NUM_ARGS=300 \
TOTAL_ARG_LENGTH=100000 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000 \
MODSEC_REQ_BODY_LIMIT=100000000 \
MODSEC_REQ_BODY_NOFILES_LIMIT=5242880 \
MODSEC_RESP_BODY_LIMIT=500000000 \
CLAMD_DEBUG_LOG=off \
# Use the default docker subnet as the default \
HEALTHZ_CIDRS=172.18.0.0/24
USER root
RUN set -x && \
# Install additional required tools \
apk add --no-cache clamav-clamdscan coreutils gawk && \
# Disable all TLS related stuff (we'll have a reverse-proxy in front of us \
# doing TLS termination) Also see the amended ./conf/httpd-vhosts.conf \
# file. \
sed -i '/generate-certificate/d' /docker-entrypoint.sh && \
sed -i '/Include .*httpd-ssl.conf/d' /usr/local/apache2/conf/httpd.conf && \
# Disable CRS plugin system \
sed -i '/activate-plugins/d' /docker-entrypoint.sh && \
# Disable customized logging configuration - we'll configure this in \
# ./conf/vshn-logging.conf \
sed -i '/CustomLog /d' /usr/local/apache2/conf/httpd.conf
# Fix Permissions
# On OpenShift, the container will be started with a random UID and GID 0, so
# we have to make some directories group-writeable.
RUN chown -R 0:0 \
/usr/local/apache2/logs \
/opt/owasp-crs \
&& \
chmod g+w \
/usr/local/apache2/logs \
/opt/owasp-crs
# Customized configuration files
COPY transform-alert-message.awk virus-check.pl /opt/
COPY clamd.conf /etc/clamav/clamd.conf
COPY conf/* /usr/local/apache2/conf/extra/
COPY modsecurity.d/setup.conf /etc/modsecurity.d/setup.conf
# Custom ModSecurity rules
COPY ./custom-rules/before-crs.dist /opt/modsecurity/rules/before-crs.dist
COPY ./custom-rules/after-crs.dist /opt/modsecurity/rules/after-crs.dist
USER 956947:0