Web application firewall (WAF) via Nginx v1.15.5 + SpiderLabs/ModSecurity v3 shipped with OWASP Core Rule Set v3.3.2
- nginx in is upstreaming to node
- nginx service is build from official https://hub.docker.com/_/nginx/
- during build time nginx source is downloaded due to compilation of modules
- ModSecurity is set via https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
- OWASP ModSecurity Core Rule Set from is set during build time from https://github.com/SpiderLabs/owasp-modsecurity-crs/
- additional https://github.com/openresty/headers-more-nginx-module is also set and
Server
header is cleaned from response
docker compose up
and visit localhostdocker comopse up --build
to rebuild
- waf/logs
-
https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/nginx.conf
-
https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/modsecurity.conf subincluding:
-
CRS rules referenced inside are downloaded from github and added to image during build included via https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/modsec_includes.conf
-
https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/crs-setup.conf
-
- update version in https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/Dockerfile#L1
- update to same version in https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/build.sh#L21
- nothing much really to upgrade just invalidate docker cache and let the image rebuild in order to have new github repos to be downloaded
- optionally check newer branch ? https://github.com/kjakub/docker-nginx-modsecurity-v3-waf/blob/master/waf/build.sh#L9
- check mod security conf files against offical github repos if any changes