From ec2c8edfb6dc88a7f50ced64dff2eb1e0eddd945 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 22:43:46 +0000 Subject: [PATCH 1/5] Initial plan From b76398022afca6f33ef458b6d51aae7b4fb05e21 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 23:03:19 +0000 Subject: [PATCH 2/5] Switch Apache Debian image to Docker hardened image (dhi.io/httpd) Agent-Logs-Url: https://github.com/coreruleset/modsecurity-crs-docker/sessions/a01215c0-b9eb-42e6-b191-fceaffabbfc8 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com> --- .github/workflows/publish.yml | 7 +++ .github/workflows/verifyimage.yml | 7 +++ README.md | 2 +- apache/Dockerfile | 78 ++++++++++++++++++++----------- docker-bake.hcl | 5 +- 5 files changed, 71 insertions(+), 28 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ad209b0..9fc5625 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -61,6 +61,13 @@ jobs: username: ${{ secrets.dockerhub_user }} password: ${{ secrets.dockerhub_token }} + - name: Login to Docker Hardened Images registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 + with: + registry: dhi.io + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 with: diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 80a470b..8d5a7eb 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -60,6 +60,13 @@ jobs: with: driver-opts: image=moby/buildkit:master + - name: Login to Docker Hardened Images registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 + with: + registry: dhi.io + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0 with: diff --git a/README.md b/README.md index 4b60cbd..b2ded65 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Examples: * nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 official stable base image, and latest stable OWASP CRS 4.25.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 Docker hardened base image, and latest stable OWASP CRS 4.25.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) diff --git a/apache/Dockerfile b/apache/Dockerfile index c6411e9..b83c682 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -3,7 +3,7 @@ ARG HTTPD_VERSION="n/a" -FROM image AS build +FROM build_image AS build ARG MODSEC2_VERSION="n/a" ARG MODSEC2_FLAGS="n/a" @@ -40,7 +40,7 @@ RUN set -eux; \ make install; \ make clean -FROM image AS crs_release +FROM build_image AS crs_release ARG CRS_RELEASE @@ -60,6 +60,53 @@ RUN set -eux; \ rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf +FROM build_image AS runtime_deps + +ARG LUA_VERSION="n/a" +ARG LUA_MODULES="" + +# hadolint ignore=DL3008,SC2086 +RUN set -eux; \ + echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ + apt-get update -qq; \ + apt-get install -y -qq --no-install-recommends --no-install-suggests \ + ca-certificates \ + curl \ + ed \ + iproute2 \ + libcurl3-gnutls \ + libfuzzy2 \ + liblua${LUA_VERSION} \ + ${LUA_MODULES} \ + libpcre2-8-0 \ + libxml2 \ + libyajl2; \ + update-ca-certificates -f; \ + mkdir /staging; \ + for pkg in \ + ca-certificates \ + curl \ + ed \ + iproute2 \ + libcurl3-gnutls \ + libfuzzy2 \ + liblua${LUA_VERSION} \ + libpcre2-8-0 \ + libxml2 \ + libyajl2 \ + ${LUA_MODULES}; \ + do \ + dpkg -L "${pkg}" 2>/dev/null \ + | grep -Ev "^(/usr/share/doc/|/usr/share/man/|/usr/share/lintian/)|\.$" \ + | while IFS= read -r f; do \ + if [ -f "${f}" ] || [ -L "${f}" ]; then \ + cp --parents -d "${f}" /staging/; \ + fi; \ + done; \ + done; \ + apt-get clean; \ + rm -rf /var/lib/apt/lists/* + FROM image ARG MODSEC2_VERSION @@ -165,28 +212,7 @@ COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ COPY src/opt/modsecurity/* /opt/modsecurity/ COPY apache/docker-entrypoint.sh / - -RUN set -eux; \ - echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ - apt-get update -qq; \ - apt-get install -qq -y --no-install-recommends --no-install-suggests \ - ca-certificates \ - curl \ - ed \ - gnupg \ - iproute2 \ - libcurl3-gnutls \ - libfuzzy2 \ - liblua${LUA_VERSION} \ - ${LUA_MODULES} \ - libpcre2-8-0 \ - libxml2 \ - libyajl2; \ - update-ca-certificates -f; \ - apt-get clean; \ - rm -rf /var/lib/apt/lists/* - -RUN useradd --system httpd +COPY --from=runtime_deps /staging/ / RUN set -eux; \ mkdir -p /etc/modsecurity.d/; \ @@ -219,7 +245,7 @@ RUN set -eux; \ echo 'Include conf/extra/httpd-locations.conf' >> /usr/local/apache2/conf/httpd.conf; \ echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|(MaxRequestWorkers[ ]*)[0-9]*|\1${WORKER_CONNECTIONS}|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \ - chown -R httpd:httpd \ + chown -R www-data:www-data \ /var/log/ \ /var/log/modsecurity/audit/ \ /usr/local/apache2/ \ @@ -227,7 +253,7 @@ RUN set -eux; \ /tmp/modsecurity \ /opt/owasp-crs -USER httpd +USER www-data ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/docker-bake.hcl b/docker-bake.hcl index 116add6..0dea839 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -155,7 +155,8 @@ target "apache" { { name = "debian" dockerfile="apache/Dockerfile" - image = "docker-image://httpd:${httpd-version}" + image = "docker-image://dhi.io/httpd:${httpd-version}" + build_image = "docker-image://httpd:${httpd-version}" lua_modules = join(" ", lua-modules-debian) tag_base = "apache" }, @@ -163,6 +164,7 @@ target "apache" { name = "alpine" dockerfile = "apache/Dockerfile-alpine" image = "docker-image://httpd:${httpd-version}-alpine" + build_image = "docker-image://httpd:${httpd-version}-alpine" lua_modules = join(" ", lua-modules-alpine) tag_base = "apache-alpine" } @@ -173,6 +175,7 @@ target "apache" { name = "apache-${base.name}-${crs_entry.tag}" contexts = { image = base.image + build_image = base.build_image } dockerfile = base.dockerfile args = { From d2ee1677f14b07d85f5e4c36ef8fa91243130069 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 28 Apr 2026 18:46:34 +0000 Subject: [PATCH 3/5] fix: add USER root before privileged setup RUN in hardened image final stage Agent-Logs-Url: https://github.com/coreruleset/modsecurity-crs-docker/sessions/b8dfba58-0518-4bbe-92a4-42975b9882fe Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com> --- apache/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apache/Dockerfile b/apache/Dockerfile index b83c682..77f1a35 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -214,6 +214,8 @@ COPY src/opt/modsecurity/* /opt/modsecurity/ COPY apache/docker-entrypoint.sh / COPY --from=runtime_deps /staging/ / +USER root + RUN set -eux; \ mkdir -p /etc/modsecurity.d/; \ mkdir -p /tmp/modsecurity/data; \ From 48faaf54fad1081d0f6694f4e502a5a9c96ea482 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 10 May 2026 13:09:13 +0000 Subject: [PATCH 4/5] fix: USER 0 for hardened image, git clone --recursive for modsec v2, sync versions and go-ftw from main Agent-Logs-Url: https://github.com/coreruleset/modsecurity-crs-docker/sessions/a57c6113-2408-46af-ad7a-dd8e80ba5df8 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com> --- .github/workflows/verifyimage.yml | 2 +- README.md | 4 ++-- apache/Dockerfile | 8 +++----- docker-bake.hcl | 13 +++++-------- 4 files changed, 11 insertions(+), 16 deletions(-) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 8d5a7eb..2ac641a 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -11,7 +11,7 @@ permissions: env: # sha256sum format: MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" - GO_FTW_VERSION: '1.3.0' + GO_FTW_VERSION: '2.1.0' jobs: prepare: diff --git a/README.md b/README.md index b2ded65..50f8679 100644 --- a/README.md +++ b/README.md @@ -64,10 +64,10 @@ Examples: ## OS Variants -* nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0* +* nginx – *latest stable ModSecurity v3 on Nginx 1.30.0 official stable base image, and latest stable OWASP CRS 4.26.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 Docker hardened base image, and latest stable OWASP CRS 4.25.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.67 Docker hardened base image, and latest stable OWASP CRS 4.26.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) diff --git a/apache/Dockerfile b/apache/Dockerfile index 77f1a35..30c742b 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -27,12 +27,10 @@ RUN set -eux; \ libyajl-dev \ lua${LUA_VERSION}-dev \ make \ - pkgconf \ - wget + pkgconf RUN set -eux; \ - wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \ - tar -zxvf v${MODSEC2_VERSION}.tar.gz; \ + git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC2_VERSION}" --depth 1 --recursive ModSecurity-${MODSEC2_VERSION}; \ cd ModSecurity-${MODSEC2_VERSION}; \ ./autogen.sh; \ ./configure ${MODSEC2_FLAGS}; \ @@ -214,7 +212,7 @@ COPY src/opt/modsecurity/* /opt/modsecurity/ COPY apache/docker-entrypoint.sh / COPY --from=runtime_deps /staging/ / -USER root +USER 0 RUN set -eux; \ mkdir -p /etc/modsecurity.d/; \ diff --git a/docker-bake.hcl b/docker-bake.hcl index 0dea839..6d3dbf4 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,7 +1,7 @@ # docker-bake.hcl variable "modsec3-version" { # renovate: depName=ModSecurity3 packageName=owasp-modsecurity/ModSecurity datasource=github-releases - default = "3.0.14" + default = "3.0.15" } variable "modsec3-flags" { @@ -10,7 +10,7 @@ variable "modsec3-flags" { variable "modsec2-version" { # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases - default = "2.9.12" + default = "2.9.13" } variable "modsec2-flags" { @@ -23,10 +23,7 @@ variable "previous-lts-crs-version" { variable "major-crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases - default = "4.25.0" -} - -variable "v4-lts-crs-version" { + default = "4.26.0" default = "4.25.0" } @@ -40,12 +37,12 @@ variable "crs-versions" { variable "nginx-version" { # renovate: depName=nginxinc/nginx-unprivileged datasource=docker - default = "1.28.2" + default = "1.30.0" } variable "httpd-version" { # renovate: depName=httpd datasource=docker - default = "2.4.66" + default = "2.4.67" } variable "modsecurity-nginx-version" { From d4e6e76094a6acdf57510cd6222cbd7680c29835 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 10 May 2026 13:10:35 +0000 Subject: [PATCH 5/5] fix: restore missing v4-lts-crs-version variable in docker-bake.hcl Agent-Logs-Url: https://github.com/coreruleset/modsecurity-crs-docker/sessions/a57c6113-2408-46af-ad7a-dd8e80ba5df8 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com> --- docker-bake.hcl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-bake.hcl b/docker-bake.hcl index 6d3dbf4..a788232 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -24,6 +24,9 @@ variable "previous-lts-crs-version" { variable "major-crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases default = "4.26.0" +} + +variable "v4-lts-crs-version" { default = "4.25.0" }