add modsecurity with OWASP core ruleset

mib1185 · mib1185 · commit 6b2fc23fd389 · 2024-11-28T23:23:08.000+01:00
diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
@@ -20,6 +20,9 @@ pipeline {
 		CROWDSEC_OPENRESTY_BOUNCER_VERSION = '0.1.7'
 		LUA_VERSION                        = '5.1.5'
 		LUAROCKS_VERSION                   = '3.3.1'
+		LIBMODSECURITY_VERSION             = '3.0.13'
+		MODSECURITY_NGINX_VERSION          = '1.0.3'
+		CRS_VERSION                        = '4.8.0'
 	}
 	stages {
 		stage('Environment') {
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -7,6 +7,8 @@ FROM debian:bookworm-slim AS nginxbuilder
 ARG OPENRESTY_VERSION
 ARG LUA_VERSION
 ARG LUAROCKS_VERSION
+ARG LIBMODSECURITY_VERSION
+ARG MODSECURITY_NGINX_VERSION
 
 RUN apt-get update \
 	&& apt-get install -y \
@@ -16,7 +18,12 @@ RUN apt-get update \
 	libpcre3-dev \
 	libreadline-dev \
 	libssl-dev \
-	openssl unzip \
+	openssl \
+	unzip \
+	autoconf \
+	automake \
+	libtool \
+	libpcre2-dev \
 	wget \
 	zlib1g-dev \
 	git \
@@ -26,6 +33,10 @@ RUN apt-get update \
 COPY ./scripts/build-lua /tmp/build-lua
 RUN /tmp/build-lua
 
+# LibModSecurity build
+COPY ./scripts/build-modsecurity /tmp/build-modsecurity
+RUN /tmp/build-modsecurity
+
 # Nginx build
 COPY ./scripts/build-openresty /tmp/build-openresty
 RUN /tmp/build-openresty
@@ -40,6 +51,7 @@ LABEL maintainer="Jamie Curnow <jc@jc21.com>"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ARG TARGETPLATFORM
+ARG CRS_VERSION
 RUN echo "Base: debian:bookworm-slim, ${TARGETPLATFORM:-linux/amd64}" > /built-for-arch
 
 # OpenResty uses LuaJIT which has a dependency on GCC
@@ -74,24 +86,29 @@ COPY --from=nginxbuilder /tmp/luarocks /tmp/luarocks
 COPY ./scripts/install-lua /tmp/install-lua
 
 # Copy openresty build from first image
+COPY --from=nginxbuilder /tmp/modsecurity /tmp/modsecurity
 COPY --from=nginxbuilder /tmp/openresty /tmp/openresty
 COPY ./scripts/install-openresty /tmp/install-openresty
 
 # Copy crowdsec openresty bouncer install script
 COPY ./scripts/install-crowdsec_openresty_bouncer /tmp/install-crowdsec_openresty_bouncer
 
+# Copy OWASP core ruleset install script
+COPY ./scripts/install-crs /tmp/install-crs
+
 ARG OPENRESTY_VERSION
 ARG CROWDSEC_OPENRESTY_BOUNCER_VERSION
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
 	OPENRESTY_VERSION=${OPENRESTY_VERSION} \
 	CROWDSEC_OPENRESTY_BOUNCER_VERSION=${CROWDSEC_OPENRESTY_BOUNCER_VERSION}
 
-# Install openresty, lua, then clean up file system
+# Install openresty, lua, csr, then clean up file system
 RUN apt-get update \
-	&& apt-get install -y gcc make socat git \
+	&& apt-get install -y build-essential gcc make socat git autoconf automake libtool libpcre2-dev \
 	&& /tmp/install-lua \
+	&& /tmp/install-crs \
 	&& /tmp/install-openresty \
-	&& apt-get remove -y make gcc git wget gettext \
+	&& apt-get remove -y build-essential gcc make git wget gettext autoconf automake libtool libpcre2-dev \
 	&& apt-get autoremove -y \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/* \
diff --git a/local-build.sh b/local-build.sh
@@ -13,6 +13,9 @@ export OPENRESTY_VERSION=1.25.3.2
 export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
 export LUA_VERSION=5.1.5
 export LUAROCKS_VERSION=3.3.1
+export LIBMODSECURITY_VERSION=3.0.13
+export MODSECURITY_NGINX_VERSION=1.0.3
+export CRS_VERSION=4.8.0
 
 export BASE_IMAGE="${DOCKER_IMAGE}:latest"
 export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
@@ -29,6 +32,9 @@ docker build \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
+	--build-arg LIBMODSECURITY_VERSION \
+	--build-arg MODSECURITY_NGINX_VERSION \
+	--build-arg CRS_VERSION \
 	-t "$BASE_IMAGE" \
 	-f docker/Dockerfile \
 	.
diff --git a/local-buildx.sh b/local-buildx.sh
@@ -13,6 +13,9 @@ export OPENRESTY_VERSION=1.25.3.2
 export CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7
 export LUA_VERSION=5.1.5
 export LUAROCKS_VERSION=3.3.1
+export LIBMODSECURITY_VERSION=3.0.13
+export MODSECURITY_NGINX_VERSION=1.0.3
+export CRS_VERSION=4.8.0
 
 export BASE_IMAGE="${DOCKER_IMAGE}:latest"
 export ACMESH_IMAGE="${DOCKER_IMAGE}:acmesh"
@@ -38,6 +41,9 @@ docker buildx build \
 	--build-arg CROWDSEC_OPENRESTY_BOUNCER_VERSION \
 	--build-arg LUA_VERSION \
 	--build-arg LUAROCKS_VERSION \
+	--build-arg LIBMODSECURITY_VERSION \
+	--build-arg MODSECURITY_NGINX_VERSION \
+	--build-arg CRS_VERSION \
 	-t "$BASE_IMAGE" \
 	-f docker/Dockerfile \
 	.
diff --git a/scripts/build-modsecurity b/scripts/build-modsecurity
@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+BLUE='\E[1;34m'
+CYAN='\E[1;36m'
+YELLOW='\E[1;33m'
+GREEN='\E[1;32m'
+RESET='\E[0m'
+
+echo -e "${BLUE}❯ ${CYAN}Building libmodsecurity ${YELLOW}${LIBMODSECURITY_VERSION} ...${RESET}"
+
+cd /tmp
+git clone --recursive --branch v${LIBMODSECURITY_VERSION} https://github.com/owasp-modsecurity/ModSecurity modsecurity
+cd /tmp/modsecurity
+
+./build.sh
+./configure --with-pcre2
+
+make -j$(nproc)
+make install
+
+echo -e "${BLUE}❯ ${GREEN}libmodsecurity build completed${RESET}"
diff --git a/scripts/build-openresty b/scripts/build-openresty
@@ -6,14 +6,24 @@ YELLOW='\E[1;33m'
 GREEN='\E[1;32m'
 RESET='\E[0m'
 
-echo -e "${BLUE}❯ ${CYAN}Building OpenResty ${YELLOW}${OPENRESTY_VERSION} with nginx_http_geoip2 module...${RESET}"
+echo -e "${BLUE}❯ ${CYAN}Building OpenResty ${YELLOW}${OPENRESTY_VERSION} with nginx_http_geoip2 and modsecurity module...${RESET}"
 
 cd /tmp
+
+# download openresty
 wget "https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz"
 tar -xzf openresty-${OPENRESTY_VERSION}.tar.gz
 mv /tmp/openresty-${OPENRESTY_VERSION} /tmp/openresty
+
+# download ngx_http_geoip2_module
 git clone https://github.com/leev/ngx_http_geoip2_module.git
 mv /tmp/ngx_http_geoip2_module /tmp/openresty/ngx_http_geoip2_module
+
+# download modsecurity-nginx
+git clone --branch v${MODSECURITY_NGINX_VERSION} https://github.com/owasp-modsecurity/ModSecurity-nginx.git
+mv /tmp/ModSecurity-nginx /tmp/openresty/modsecurity-nginx
+
+# build openresty
 cd /tmp/openresty
 
 ./configure \
@@ -55,8 +65,9 @@ cd /tmp/openresty
 	--with-stream_realip_module \
 	--with-stream_ssl_module \
 	--with-stream_ssl_preread_module \
-	--add-dynamic-module=/tmp/openresty/ngx_http_geoip2_module
+	--add-dynamic-module=/tmp/openresty/ngx_http_geoip2_module \
+	--add-dynamic-module=/tmp/openresty/modsecurity-nginx
 
-make -j2
+make -j$(nproc)
 
 echo -e "${BLUE}❯ ${GREEN}OpenResty build completed${RESET}"
diff --git a/scripts/install-crs b/scripts/install-crs
@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+BLUE='\E[1;34m'
+CYAN='\E[1;36m'
+YELLOW='\E[1;33m'
+GREEN='\E[1;32m'
+RESET='\E[0m'
+
+echo -e "${BLUE}❯ ${CYAN}Installing OWASP core ruleset ${YELLOW}${CRS_VERSION}...${RESET}"
+
+cd /tmp
+mkdir -p /etc/csr
+wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v${CRS_VERSION}.tar.gz
+tar -xzf v${CRS_VERSION}.tar.gz --strip 1 -C /etc/csr
+rm -rf v${CRS_VERSION}.tar.gz
+mv /etc/csr/{crs-setup.conf.example,crs-setup.conf}
+mv /etc/csr/rules/{REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example,REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf}
+mv /etc/csr/rules/{RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example,RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf}
+
+echo -e "${BLUE}❯ ${GREEN}OWASP core ruleset install completed${RESET}"
diff --git a/scripts/install-openresty b/scripts/install-openresty
@@ -8,6 +8,10 @@ RESET='\E[0m'
 
 echo -e "${BLUE}❯ ${CYAN}Installing OpenResty ${YELLOW}${OPENRESTY_VERSION}...${RESET}"
 
+cd /tmp/modsecurity
+make install
+rm -rf /tmp/modsecurity
+
 cd /tmp/openresty
 make install
 rm -rf /tmp/openresty
