Skip to content

Commit

Permalink
USAGOV-2171 - Deploy to Production (#2171)
Browse files Browse the repository at this point in the history
  • Loading branch information
@arpage
arpage authored Jan 15, 2025
2 parents b82d68e + 767a6a7 commit 6fba9e9
Show file tree
Hide file tree
Showing 49 changed files with 494 additions and 162 deletions.
117 changes: 80 additions & 37 deletions .docker/Dockerfile-waf
View file
Original file line number Diff line number Diff line change
@@ -1,73 +1,116 @@
FROM owasp/modsecurity-crs@sha256:94c67e36f8c48553b4e51378579f6afc818a5d9d2e0c6e09cf846913ee9fac31
ARG NGINX_VERSION="1.27.3"
FROM nginx:${NGINX_VERSION}

LABEL maintainer="USA.gov Web Ops"

ARG RELEASE=3.3.2

ARG GITBRANCH
ENV GITBRANCH ${GITBRANCH:-none}
ENV GITBRANCH=${GITBRANCH:-none}

ARG GITCOMMIT
ENV GITCOMMIT ${GITCOMMIT:-none}
ENV GITCOMMIT=${GITCOMMIT:-none}

ARG GITTAG
ENV GITTAG ${GITTAG:-none}
ENV GITTAG=${GITTAG:-none}

ENV APP_NAME=USAGov \
PARANOIA=2 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
NGINX_KEEPALIVE_TIMEOUT=60s \
ERRORLOG=/var/log/nginx/error.log \
LOGLEVEL=warn \
USER=nginx \
PORT=80 \
SERVERNAME=locahost \
WORKER_CONNECTIONS=1024 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_RULE_ENGINE=on \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000 \
MODSEC_REQ_BODY_ACCESS=on \
MODSEC_REQ_BODY_LIMIT=13107200 \
MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
MODSEC_RESP_BODY_ACCESS=on \
MODSEC_RESP_BODY_LIMIT=1048576 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;
MODSEC_RULE_ENGINE=on \
MODSECURITY_ENGINE_VERSION="3.0.13" \
MODSECURITY_NGINX_VERSION="1.0.3" \
MODSECURITY_CRS_VERSION="4.10.0" \
NGINX_KEEPALIVE_TIMEOUT=60s \
PARANOIA=2 \
PORT=80 \
SERVERNAME=localhost \
USER=nginx \
WORKER_CONNECTIONS=1024

RUN apk upgrade --update && \
apk add vim \
nano \
bash \
jq \
inotify-tools \
gettext \
curl \
sed

# hadolint ignore=DL3008,SC2016
RUN set -eux; \
apk add --no-cache \
ca-certificates;
# \ ln -sv /opt/owasp-crs /etc/modsecurity.d;
RUN apt-get update && \
apt-get install -y \
autoconf \
automake \
build-essential \
dh-autoreconf \
dpkg-dev \
flex \
gcc \
inotify-tools \
libexpat1-dev \
libgeoip-dev \
liblmdb-dev \
liblua5.3-dev \
libmodsecurity-dev \
libmodsecurity3 \
libpcre2-dev \
libpcre3 \
libpcre3-dev \
libssl-dev \
libtool \
libyajl-dev \
locales \
lua5.3-dev \
make \
pkg-config \
procps \
wget \
zlib1g-dev

RUN set -eux; \
mkdir /var/log/modsecurity && \
touch /var/log/modsecurity/modsec_audit.log;

RUN cd /tmp \
&& wget https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${MODSECURITY_NGINX_VERSION}/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& tar -xvf modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& rm modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& mkdir -p /opt/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION} \
&& mv modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}/* /opt/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}/ \
&& wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
&& tar -xvf nginx-${NGINX_VERSION}.tar.gz \
&& rm nginx-${NGINX_VERSION}.tar.gz \
&& mkdir -p /opt/nginx-${NGINX_VERSION} \
&& mv nginx-${NGINX_VERSION}/* /opt/nginx-${NGINX_VERSION}/ \
&& cd /opt/nginx-${NGINX_VERSION} \
&& ARGS=$(nginx -V 2>&1 | grep -oP '(?<=configure arguments: ).*?(?=--with-cc-opt)') \
&& ./configure --add-dynamic-module=../modsecurity-nginx-v${MODSECURITY_NGINX_VERSION} --with-compat $ARGS \
&& make modules \
&& cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

RUN cd /tmp \
&& wget https://github.com/coreruleset/coreruleset/releases/download/v${MODSECURITY_CRS_VERSION}/coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& tar -xvf coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& rm coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& mkdir -p /etc/modsecurity.d/modsecurity-crs \
&& mv coreruleset-${MODSECURITY_CRS_VERSION}/* /etc/modsecurity.d/modsecurity-crs/ \
&& mv /etc/modsecurity.d/modsecurity-crs/crs-setup.conf.example /etc/modsecurity.d/modsecurity-crs/crs-setup.conf \
&& mv /etc/modsecurity.d/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/modsecurity.d/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;

COPY src-waf/opt/owasp-crs/modsecurity.conf /etc/modsecurity.d/modsecurity.conf
COPY src-waf/opt/owasp-crs/modsecurity-override.conf /etc/modsecurity.d/modsecurity-override.conf
COPY src-waf/opt/owasp-crs/setup.conf /etc/modsecurity.d/setup.conf

COPY src-waf/cert-watcher.sh /cert-watcher.sh

COPY motd /etc/motd

RUN echo " built:" $(date) >> /etc/motd \
RUN echo " built:" $(date) >> /etc/motd \
&& echo " branch: " $GITBRANCH >> /etc/motd \
&& echo " gittag: " $GITTAG >> /etc/motd \
&& echo " commit: " $GITCOMMIT >> /etc/motd \
Expand All @@ -76,4 +119,4 @@ RUN echo " built:" $(date) >> /etc/motd \
HEALTHCHECK CMD pgrep "nginx: master process"

ENTRYPOINT ["/docker-entrypoint-waf.sh"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
108 changes: 108 additions & 0 deletions .docker/Dockerfile-waf-alpine
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
ARG ubuntu_version="jammy"
FROM ubuntu:${ubuntu_version}

LABEL maintainer="USA.gov Web Ops"

ENV modsecurity_nginx_version="1.0.3"
ENV nginx_version="1.27.2"

ARG GITBRANCH
ENV GITBRANCH ${GITBRANCH:-none}

ARG GITCOMMIT
ENV GITCOMMIT ${GITCOMMIT:-none}

ARG GITTAG
ENV GITTAG ${GITTAG:-none}

ENV APP_NAME=USAGov \
PARANOIA=2 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
NGINX_KEEPALIVE_TIMEOUT=60s \
ERRORLOG=/var/log/nginx/error.log \
LOGLEVEL=warn \
USER=nginx \
PORT=80 \
SERVERNAME=locahost \
WORKER_CONNECTIONS=1024 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_RULE_ENGINE=on \
MODSEC_REQ_BODY_ACCESS=on \
MODSEC_REQ_BODY_LIMIT=13107200 \
MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
MODSEC_RESP_BODY_ACCESS=on \
MODSEC_RESP_BODY_LIMIT=1048576 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000

# RUN sed -i 's/^# deb-src./deb-src /' /etc/apt/sources.list
RUN sed -i 's/https/http/g' /etc/apk/repositories

RUN apk upgrade --update && \
apk add bash \
curl \
gettext \
inotify-tools \
jq \
make \
nano \
sed \
tar \
vim \
wget

# hadolint ignore=DL3008,SC2016
RUN set -eux; \
apk add --no-cache \
ca-certificates;

ARG modsecurity_path=/usr/local/src/modsecurity_nginx
RUN mkdir -p ${modsecurity_path}
WORKDIR ${modsecurity_path}
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${modsecurity_nginx_version}.tar.gz
RUN tar -xf v${modsecurity_nginx_version}.tar.gz && \
rm -f v${modsecurity_nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/
# RUN apk add --virtual .build-deps nginx

# RUN wget https://nginx.org/download/nginx-${nginx_version}.tar.gz && \
# tar -xf nginx-${nginx_version}.tar.gz && \
# rm -f nginx-${nginx_version}.tar.gz

# WORKDIR /usr/share/nginx/src/nginx-${nginx_version}

# RUN ./configure --add-dynamic-module=${modsecurity_path}/ModSecurity-nginx-${modsecurity_nginx_version} --with-compat && \
# make modules && \
# cp ./objs/ngx_http_modsecurity_module.so /ngx_http_modsecurity_module.so

# RUN apk del .build-deps

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;

RUN set -eux; \
mkdir /var/log/modsecurity && \
touch /var/log/modsecurity/modsec_audit.log;

COPY src-waf/opt/owasp-crs/modsecurity.conf /etc/modsecurity.d/modsecurity.conf
COPY src-waf/opt/owasp-crs/modsecurity-override.conf /etc/modsecurity.d/modsecurity-override.conf
COPY src-waf/opt/owasp-crs/setup.conf /etc/modsecurity.d/setup.conf
COPY src-waf/cert-watcher.sh /cert-watcher.sh

COPY motd /etc/motd

RUN echo " built:" $(date) >> /etc/motd \
&& echo " branch: " $GITBRANCH >> /etc/motd \
&& echo " gittag: " $GITTAG >> /etc/motd \
&& echo " commit: " $GITCOMMIT >> /etc/motd \
&& echo >> /etc/motd

HEALTHCHECK CMD pgrep "nginx: master process"

ENTRYPOINT ["/docker-entrypoint-waf.sh"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
63 changes: 63 additions & 0 deletions .docker/Dockerfile-waf-vote
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
ARG modsecurity_nginx_version="1.0.3"
ARG nginx_version="1.27.2"
ARG ubuntu_version="jammy"

FROM docker.io/ubuntu:${ubuntu_version}

ARG modsecurity_nginx_version
ARG nginx_version

RUN sed -i 's/^# deb-src./deb-src /' /etc/apt/sources.list

RUN apt-get update && \
apt-get install -y \
autoconf \
automake \
build-essential \
doxygen \
dpkg-dev \
gcc \
gettext \
libcurl4 \
libcurl4-openssl-dev \
libfuzzy-dev \
libgeoip-dev \
liblua5.3-dev \
libmodsecurity3 \
libmodsecurity-dev \
libpcre2-dev \
libpcre3 \
libpcre3-dev \
libtool \
libxml2 \
libxml2-dev \
libyajl-dev \
make \
pkg-config \
software-properties-common \
ssdeep \
uuid-dev \
wget

ARG modsecurity_path=/usr/local/src/modsecurity_nginx
RUN mkdir -p ${modsecurity_path}
WORKDIR ${modsecurity_path}
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${modsecurity_nginx_version}.tar.gz
RUN tar -xf v${modsecurity_nginx_version}.tar.gz && \
rm -f v${modsecurity_nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/
RUN apt-get build-dep -y nginx

RUN wget https://nginx.org/download/nginx-${nginx_version}.tar.gz && \
tar -xf nginx-${nginx_version}.tar.gz && \
rm -f nginx-${nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/nginx-${nginx_version}

RUN ./configure --add-dynamic-module=${modsecurity_path}/ModSecurity-nginx-${modsecurity_nginx_version} --with-compat && \
make modules && \
cp ./objs/ngx_http_modsecurity_module.so /ngx_http_modsecurity_module.so

HEALTHCHECK NONE
USER nginx
29 changes: 0 additions & 29 deletions .docker/src-waf/docker-entrypoint-waf.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,37 +77,8 @@ if [ "$IP_ALLOW_ALL_CMS" == "1" ]; then
export IPS_ALLOWED_CMS=$'\n\tallow all;'"$IPS_ALLOWED_CMS";
fi


# SPACE_NAME=$(echo $VCAP_APPLICATION | jq -r '.["space_name"]')
# WWW_HOST_GUESS="beta-${SPACE_NAME}.usa.gov"
# CMS_HOST_GUESS="cms-${SPACE_NAME}.usa.gov"
# if [ "$SPACE_NAME" == "prod" ]; then
# WWW_HOST_GUESS="beta.usa.gov"
# CMS_HOST_GUESS="cms.usa.gov"
# elif [ "$SPACE_NAME" == "stage" ]; then
# WWW_HOST_GUESS="beta-stage.usa.gov"
# CMS_HOST_GUESS="cms-stage.usa.gov"
# elif [ "$SPACE_NAME" == "dev" ]; then
# WWW_HOST_GUESS="beta-dev.usa.gov"
# CMS_HOST_GUESS="cms-dev.usa.gov"
# fi

# WWW_HOST=${WWW_HOST:-$WWW_HOST_GUESS}
# CMS_HOST=${CMS_HOST:-$CMS_HOST_GUESS}
# export WWW_HOST
# export CMS_HOST

export DNS_SERVER=${DNS_SERVER:-$(grep -i '^nameserver' /etc/resolv.conf|head -n1|cut -d ' ' -f2)}

#ENV_VARIABLES=$(awk 'BEGIN{for(v in ENVIRON) print "$"v}')
#FILES="/etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/logging.conf /etc/modsecurity.d/modsecurity-override.conf /etc/nginx/snippets/ip-restrict.conf /etc/nginx/snippets/ip-restrict-cms.conf /etc/nginx/snippets/ip-restrict-www.conf /etc/nginx/snippets/ssl.conf /etc/nginx/snippets/proxy-to-app.conf"
# this overwrites the files in place, so be careful mounting in docker
# for FILE in $FILES; do
# if [ -f "$FILE" ]; then
# envsubst "$ENV_VARIABLES" <"$FILE" | sponge "$FILE"
# fi
# done

ENV_VARIABLES=$(awk 'BEGIN{for(v in ENVIRON) print "$"v}')
# this overwrites the files in place, so be careful mounting in docker
echo "Inserting environment variables into nginx config templates ... "
Expand Down
Loading

0 comments on commit 6fba9e9

Please sign in to comment.