diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ad209b0..9fc5625 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -61,6 +61,13 @@ jobs: username: ${{ secrets.dockerhub_user }} password: ${{ secrets.dockerhub_token }} + - name: Login to Docker Hardened Images registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 + with: + registry: dhi.io + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 with: diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 80a470b..2ac641a 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -11,7 +11,7 @@ permissions: env: # sha256sum format: MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" - GO_FTW_VERSION: '1.3.0' + GO_FTW_VERSION: '2.1.0' jobs: prepare: @@ -60,6 +60,13 @@ jobs: with: driver-opts: image=moby/buildkit:master + - name: Login to Docker Hardened Images registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 + with: + registry: dhi.io + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 with: diff --git a/README.md b/README.md index 4b60cbd..50f8679 100644 --- a/README.md +++ b/README.md @@ -64,10 +64,10 @@ Examples: ## OS Variants -* nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0* +* nginx – *latest stable ModSecurity v3 on Nginx 1.30.0 official stable base image, and latest stable OWASP CRS 4.26.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 official stable base image, and latest stable OWASP CRS 4.25.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.67 Docker hardened base image, and latest stable OWASP CRS 4.26.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) diff --git a/apache/Dockerfile b/apache/Dockerfile index c6411e9..30c742b 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -3,7 +3,7 @@ ARG HTTPD_VERSION="n/a" -FROM image AS build +FROM build_image AS build ARG MODSEC2_VERSION="n/a" ARG MODSEC2_FLAGS="n/a" @@ -27,12 +27,10 @@ RUN set -eux; \ libyajl-dev \ lua${LUA_VERSION}-dev \ make \ - pkgconf \ - wget + pkgconf RUN set -eux; \ - wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \ - tar -zxvf v${MODSEC2_VERSION}.tar.gz; \ + git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC2_VERSION}" --depth 1 --recursive ModSecurity-${MODSEC2_VERSION}; \ cd ModSecurity-${MODSEC2_VERSION}; \ ./autogen.sh; \ ./configure ${MODSEC2_FLAGS}; \ @@ -40,7 +38,7 @@ RUN set -eux; \ make install; \ make clean -FROM image AS crs_release +FROM build_image AS crs_release ARG CRS_RELEASE @@ -60,6 +58,53 @@ RUN set -eux; \ rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf +FROM build_image AS runtime_deps + +ARG LUA_VERSION="n/a" +ARG LUA_MODULES="" + +# hadolint ignore=DL3008,SC2086 +RUN set -eux; \ + echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ + apt-get update -qq; \ + apt-get install -y -qq --no-install-recommends --no-install-suggests \ + ca-certificates \ + curl \ + ed \ + iproute2 \ + libcurl3-gnutls \ + libfuzzy2 \ + liblua${LUA_VERSION} \ + ${LUA_MODULES} \ + libpcre2-8-0 \ + libxml2 \ + libyajl2; \ + update-ca-certificates -f; \ + mkdir /staging; \ + for pkg in \ + ca-certificates \ + curl \ + ed \ + iproute2 \ + libcurl3-gnutls \ + libfuzzy2 \ + liblua${LUA_VERSION} \ + libpcre2-8-0 \ + libxml2 \ + libyajl2 \ + ${LUA_MODULES}; \ + do \ + dpkg -L "${pkg}" 2>/dev/null \ + | grep -Ev "^(/usr/share/doc/|/usr/share/man/|/usr/share/lintian/)|\.$" \ + | while IFS= read -r f; do \ + if [ -f "${f}" ] || [ -L "${f}" ]; then \ + cp --parents -d "${f}" /staging/; \ + fi; \ + done; \ + done; \ + apt-get clean; \ + rm -rf /var/lib/apt/lists/* + FROM image ARG MODSEC2_VERSION @@ -165,28 +210,9 @@ COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ COPY src/opt/modsecurity/* /opt/modsecurity/ COPY apache/docker-entrypoint.sh / +COPY --from=runtime_deps /staging/ / -RUN set -eux; \ - echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ - apt-get update -qq; \ - apt-get install -qq -y --no-install-recommends --no-install-suggests \ - ca-certificates \ - curl \ - ed \ - gnupg \ - iproute2 \ - libcurl3-gnutls \ - libfuzzy2 \ - liblua${LUA_VERSION} \ - ${LUA_MODULES} \ - libpcre2-8-0 \ - libxml2 \ - libyajl2; \ - update-ca-certificates -f; \ - apt-get clean; \ - rm -rf /var/lib/apt/lists/* - -RUN useradd --system httpd +USER 0 RUN set -eux; \ mkdir -p /etc/modsecurity.d/; \ @@ -219,7 +245,7 @@ RUN set -eux; \ echo 'Include conf/extra/httpd-locations.conf' >> /usr/local/apache2/conf/httpd.conf; \ echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|(MaxRequestWorkers[ ]*)[0-9]*|\1${WORKER_CONNECTIONS}|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \ - chown -R httpd:httpd \ + chown -R www-data:www-data \ /var/log/ \ /var/log/modsecurity/audit/ \ /usr/local/apache2/ \ @@ -227,7 +253,7 @@ RUN set -eux; \ /tmp/modsecurity \ /opt/owasp-crs -USER httpd +USER www-data ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/docker-bake.hcl b/docker-bake.hcl index 116add6..a788232 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,7 +1,7 @@ # docker-bake.hcl variable "modsec3-version" { # renovate: depName=ModSecurity3 packageName=owasp-modsecurity/ModSecurity datasource=github-releases - default = "3.0.14" + default = "3.0.15" } variable "modsec3-flags" { @@ -10,7 +10,7 @@ variable "modsec3-flags" { variable "modsec2-version" { # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases - default = "2.9.12" + default = "2.9.13" } variable "modsec2-flags" { @@ -23,7 +23,7 @@ variable "previous-lts-crs-version" { variable "major-crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases - default = "4.25.0" + default = "4.26.0" } variable "v4-lts-crs-version" { @@ -40,12 +40,12 @@ variable "crs-versions" { variable "nginx-version" { # renovate: depName=nginxinc/nginx-unprivileged datasource=docker - default = "1.28.2" + default = "1.30.0" } variable "httpd-version" { # renovate: depName=httpd datasource=docker - default = "2.4.66" + default = "2.4.67" } variable "modsecurity-nginx-version" { @@ -155,7 +155,8 @@ target "apache" { { name = "debian" dockerfile="apache/Dockerfile" - image = "docker-image://httpd:${httpd-version}" + image = "docker-image://dhi.io/httpd:${httpd-version}" + build_image = "docker-image://httpd:${httpd-version}" lua_modules = join(" ", lua-modules-debian) tag_base = "apache" }, @@ -163,6 +164,7 @@ target "apache" { name = "alpine" dockerfile = "apache/Dockerfile-alpine" image = "docker-image://httpd:${httpd-version}-alpine" + build_image = "docker-image://httpd:${httpd-version}-alpine" lua_modules = join(" ", lua-modules-alpine) tag_base = "apache-alpine" } @@ -173,6 +175,7 @@ target "apache" { name = "apache-${base.name}-${crs_entry.tag}" contexts = { image = base.image + build_image = base.build_image } dockerfile = base.dockerfile args = {