Switch Apache Debian image to Docker hardened image (dhi.io/httpd)

.github/workflows/publish.yml

@@ -61,6 +61,13 @@ jobs:
           username: ${{ secrets.dockerhub_user }}
           password: ${{ secrets.dockerhub_token }}
 
+      - name: Login to Docker Hardened Images registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
+        with:
+          registry: dhi.io
+          username: ${{ secrets.dockerhub_user }}
+          password: ${{ secrets.dockerhub_token }}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
         with:

.github/workflows/verifyimage.yml

@@ -11,7 +11,7 @@ permissions:
 env:
   # sha256sum format: <hash><space><format (space for text)><file name>
   MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f  modsecurity.conf-recommended"
-  GO_FTW_VERSION: '1.3.0'
+  GO_FTW_VERSION: '2.1.0'
 
 jobs:
   prepare:
@@ -60,6 +60,13 @@ jobs:
         with:
           driver-opts: image=moby/buildkit:master
 
+      - name: Login to Docker Hardened Images registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
+        with:
+          registry: dhi.io
+          username: ${{ secrets.dockerhub_user }}
+          password: ${{ secrets.dockerhub_token }}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # docker/login-action@v3.5.0
         with:

README.md

@@ -64,10 +64,10 @@ Examples:
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.30.0 official stable base image, and latest stable OWASP CRS 4.26.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
-* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 official stable base image, and latest stable OWASP CRS 4.25.0*
+* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.67 Docker hardened base image, and latest stable OWASP CRS 4.26.0*
    * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)
    * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)
 

apache/Dockerfile

@@ -3,7 +3,7 @@
 
 ARG HTTPD_VERSION="n/a"
 
-FROM image AS build
+FROM build_image AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG MODSEC2_FLAGS="n/a"
@@ -27,20 +27,18 @@ RUN set -eux; \
         libyajl-dev \
         lua${LUA_VERSION}-dev \
         make \
-        pkgconf \
-        wget
+        pkgconf
 
 RUN set -eux; \
-    wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \
-    tar -zxvf v${MODSEC2_VERSION}.tar.gz; \
+    git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC2_VERSION}" --depth 1 --recursive ModSecurity-${MODSEC2_VERSION}; \
     cd ModSecurity-${MODSEC2_VERSION}; \
     ./autogen.sh; \
     ./configure ${MODSEC2_FLAGS}; \
     make; \
     make install; \
     make clean
 
-FROM image AS crs_release
+FROM build_image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -60,6 +58,53 @@ RUN set -eux; \
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
+FROM build_image AS runtime_deps
+
+ARG LUA_VERSION="n/a"
+ARG LUA_MODULES=""
+
+# hadolint ignore=DL3008,SC2086
+RUN set -eux; \
+    echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
+    apt-get update -qq; \
+    apt-get install -y -qq --no-install-recommends --no-install-suggests \
+        ca-certificates \
+        curl \
+        ed \
+        iproute2 \
+        libcurl3-gnutls \
+        libfuzzy2 \
+        liblua${LUA_VERSION} \
+        ${LUA_MODULES} \
+        libpcre2-8-0 \
+        libxml2 \
+        libyajl2; \
+    update-ca-certificates -f; \
+    mkdir /staging; \
+    for pkg in \
+        ca-certificates \
+        curl \
+        ed \
+        iproute2 \
+        libcurl3-gnutls \
+        libfuzzy2 \
+        liblua${LUA_VERSION} \
+        libpcre2-8-0 \
+        libxml2 \
+        libyajl2 \
+        ${LUA_MODULES}; \
+    do \
+        dpkg -L "${pkg}" 2>/dev/null \
+        | grep -Ev "^(/usr/share/doc/|/usr/share/man/|/usr/share/lintian/)|\.$" \
+        | while IFS= read -r f; do \
+            if [ -f "${f}" ] || [ -L "${f}" ]; then \
+                cp --parents -d "${f}" /staging/; \
+            fi; \
+        done; \
+    done; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
+
 FROM image
 
 ARG MODSEC2_VERSION
@@ -165,28 +210,9 @@ COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/opt/modsecurity/* /opt/modsecurity/
 COPY apache/docker-entrypoint.sh /
+COPY --from=runtime_deps /staging/ /
 
-RUN set -eux; \
-    echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
-    apt-get update -qq; \
-    apt-get install -qq -y --no-install-recommends --no-install-suggests \
-        ca-certificates \
-        curl \
-        ed \
-        gnupg \
-        iproute2 \
-        libcurl3-gnutls \
-        libfuzzy2 \
-        liblua${LUA_VERSION} \
-        ${LUA_MODULES} \
-        libpcre2-8-0 \
-        libxml2 \
-        libyajl2; \
-    update-ca-certificates -f; \
-    apt-get clean; \
-    rm -rf /var/lib/apt/lists/*
-
-RUN useradd --system httpd
+USER 0
 
 RUN set -eux; \
     mkdir -p /etc/modsecurity.d/; \
@@ -219,15 +245,15 @@ RUN set -eux; \
     echo 'Include conf/extra/httpd-locations.conf' >> /usr/local/apache2/conf/httpd.conf; \
     echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf; \
     sed -i -E 's|(MaxRequestWorkers[ ]*)[0-9]*|\1${WORKER_CONNECTIONS}|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    chown -R httpd:httpd \
+    chown -R www-data:www-data \
         /var/log/ \
         /var/log/modsecurity/audit/ \
         /usr/local/apache2/ \
         /etc/modsecurity.d \
         /tmp/modsecurity \
         /opt/owasp-crs
 
-USER httpd
+USER www-data
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 

docker-bake.hcl

@@ -1,7 +1,7 @@
 # docker-bake.hcl
 variable "modsec3-version" {
     # renovate: depName=ModSecurity3 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
-    default = "3.0.14"
+    default = "3.0.15"
 }
 
 variable "modsec3-flags" {
@@ -10,7 +10,7 @@ variable "modsec3-flags" {
 
 variable "modsec2-version" {
     # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
-    default = "2.9.12"
+    default = "2.9.13"
 }
 
 variable "modsec2-flags" {
@@ -23,7 +23,7 @@ variable "previous-lts-crs-version" {
 
 variable "major-crs-version" {
     # renovate: depName=coreruleset/coreruleset datasource=github-releases
-    default = "4.25.0"
+    default = "4.26.0"
 }
 
 variable "v4-lts-crs-version" {
@@ -40,12 +40,12 @@ variable "crs-versions" {
 
 variable "nginx-version" {
     # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
-    default = "1.28.2"
+    default = "1.30.0"
 }
 
 variable "httpd-version" {
     # renovate: depName=httpd datasource=docker
-    default = "2.4.66"
+    default = "2.4.67"
 }
 
 variable "modsecurity-nginx-version" {
@@ -155,14 +155,16 @@ target "apache" {
             {
                 name = "debian"
                 dockerfile="apache/Dockerfile"
-                image = "docker-image://httpd:${httpd-version}"
+                image = "docker-image://dhi.io/httpd:${httpd-version}"
+                build_image = "docker-image://httpd:${httpd-version}"
                 lua_modules = join(" ", lua-modules-debian)
                 tag_base = "apache"
             },
             {
                 name = "alpine"
                 dockerfile = "apache/Dockerfile-alpine"
                 image = "docker-image://httpd:${httpd-version}-alpine"
+                build_image = "docker-image://httpd:${httpd-version}-alpine"
                 lua_modules = join(" ", lua-modules-alpine)
                 tag_base = "apache-alpine"
             }
@@ -173,6 +175,7 @@ target "apache" {
     name = "apache-${base.name}-${crs_entry.tag}"
     contexts = {
         image = base.image
+        build_image = base.build_image
     }
     dockerfile = base.dockerfile
     args = {