Skip to content

Commit

Permalink
Merge branch 'dev' into USAGOV-1979-use-cdn-with-waf-for-stage
Browse files Browse the repository at this point in the history
  • Loading branch information
@whitealbum
whitealbum authored Jan 13, 2025
2 parents 0b2842e + a922918 commit ac0c8af
Show file tree
Hide file tree
Showing 116 changed files with 2,099 additions and 3,035 deletions.
8 changes: 7 additions & 1 deletion .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ jobs:

lint:
docker:
- image: cimg/php:8.1.27-node
- image: cimg/php:8.3-node
steps:
- checkout
- run:
Expand All @@ -322,11 +322,13 @@ jobs:
npm install --prefix ./web/themes/custom/usagov
composer global config --no-plugins allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
composer global require --dev drupal/coder php-parallel-lint/php-parallel-lint
composer require --dev mglaman/phpstan-drupal phpstan/phpstan phpstan/phpstan-deprecation-rules
COMPOSER_DIR=$(composer -n config --global home)
$COMPOSER_DIR/vendor/bin/phpcs --config-set installed_paths $COMPOSER_DIR/vendor/drupal/coder/coder_sniffer,$COMPOSER_DIR/vendor/sirbrillig/phpcs-variable-analysis,$COMPOSER_DIR/vendor/slevomat/coding-standard
mkdir -p /tmp/results
touch /tmp/results/php-lint.log
touch /tmp/results/php-cs.log
touch /tmp/results/php-stan.log
touch /tmp/results/theme-lint.log
- run:
name: PHP Lint
Expand All @@ -338,6 +340,10 @@ jobs:
command: |
COMPOSER_DIR=$(composer -n config --global home)
$COMPOSER_DIR/vendor/bin/phpcs -ns --standard=./.phpcs.xml.dist | tee /tmp/results/php-cs.log
- run:
name: PHPStan (static analysis, non-blocking)
command: |
(./vendor/bin/phpstan --memory-limit=2G || true) | tee /tmp/results/php-stan.log
- run:
name: Theme Lint
command: npm run lint --prefix ./web/themes/custom/usagov | tee /tmp/results/theme-lint.log
Expand Down
11 changes: 0 additions & 11 deletions .docker/Dockerfile-mysql
View file

This file was deleted.

117 changes: 80 additions & 37 deletions .docker/Dockerfile-waf
View file
Original file line number Diff line number Diff line change
@@ -1,73 +1,116 @@
FROM owasp/modsecurity-crs@sha256:94c67e36f8c48553b4e51378579f6afc818a5d9d2e0c6e09cf846913ee9fac31
ARG NGINX_VERSION="1.27.3"
FROM nginx:${NGINX_VERSION}

LABEL maintainer="USA.gov Web Ops"

ARG RELEASE=3.3.2

ARG GITBRANCH
ENV GITBRANCH ${GITBRANCH:-none}
ENV GITBRANCH=${GITBRANCH:-none}

ARG GITCOMMIT
ENV GITCOMMIT ${GITCOMMIT:-none}
ENV GITCOMMIT=${GITCOMMIT:-none}

ARG GITTAG
ENV GITTAG ${GITTAG:-none}
ENV GITTAG=${GITTAG:-none}

ENV APP_NAME=USAGov \
PARANOIA=2 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
NGINX_KEEPALIVE_TIMEOUT=60s \
ERRORLOG=/var/log/nginx/error.log \
LOGLEVEL=warn \
USER=nginx \
PORT=80 \
SERVERNAME=locahost \
WORKER_CONNECTIONS=1024 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_RULE_ENGINE=on \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000 \
MODSEC_REQ_BODY_ACCESS=on \
MODSEC_REQ_BODY_LIMIT=13107200 \
MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
MODSEC_RESP_BODY_ACCESS=on \
MODSEC_RESP_BODY_LIMIT=1048576 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;
MODSEC_RULE_ENGINE=on \
MODSECURITY_ENGINE_VERSION="3.0.13" \
MODSECURITY_NGINX_VERSION="1.0.3" \
MODSECURITY_CRS_VERSION="4.10.0" \
NGINX_KEEPALIVE_TIMEOUT=60s \
PARANOIA=2 \
PORT=80 \
SERVERNAME=localhost \
USER=nginx \
WORKER_CONNECTIONS=1024

RUN apk upgrade --update && \
apk add vim \
nano \
bash \
jq \
inotify-tools \
gettext \
curl \
sed

# hadolint ignore=DL3008,SC2016
RUN set -eux; \
apk add --no-cache \
ca-certificates;
# \ ln -sv /opt/owasp-crs /etc/modsecurity.d;
RUN apt-get update && \
apt-get install -y \
autoconf \
automake \
build-essential \
dh-autoreconf \
dpkg-dev \
flex \
gcc \
inotify-tools \
libexpat1-dev \
libgeoip-dev \
liblmdb-dev \
liblua5.3-dev \
libmodsecurity-dev \
libmodsecurity3 \
libpcre2-dev \
libpcre3 \
libpcre3-dev \
libssl-dev \
libtool \
libyajl-dev \
locales \
lua5.3-dev \
make \
pkg-config \
procps \
wget \
zlib1g-dev

RUN set -eux; \
mkdir /var/log/modsecurity && \
touch /var/log/modsecurity/modsec_audit.log;

RUN cd /tmp \
&& wget https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${MODSECURITY_NGINX_VERSION}/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& tar -xvf modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& rm modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}.tar.gz \
&& mkdir -p /opt/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION} \
&& mv modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}/* /opt/modsecurity-nginx-v${MODSECURITY_NGINX_VERSION}/ \
&& wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
&& tar -xvf nginx-${NGINX_VERSION}.tar.gz \
&& rm nginx-${NGINX_VERSION}.tar.gz \
&& mkdir -p /opt/nginx-${NGINX_VERSION} \
&& mv nginx-${NGINX_VERSION}/* /opt/nginx-${NGINX_VERSION}/ \
&& cd /opt/nginx-${NGINX_VERSION} \
&& ARGS=$(nginx -V 2>&1 | grep -oP '(?<=configure arguments: ).*?(?=--with-cc-opt)') \
&& ./configure --add-dynamic-module=../modsecurity-nginx-v${MODSECURITY_NGINX_VERSION} --with-compat $ARGS \
&& make modules \
&& cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

RUN cd /tmp \
&& wget https://github.com/coreruleset/coreruleset/releases/download/v${MODSECURITY_CRS_VERSION}/coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& tar -xvf coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& rm coreruleset-${MODSECURITY_CRS_VERSION}-minimal.tar.gz \
&& mkdir -p /etc/modsecurity.d/modsecurity-crs \
&& mv coreruleset-${MODSECURITY_CRS_VERSION}/* /etc/modsecurity.d/modsecurity-crs/ \
&& mv /etc/modsecurity.d/modsecurity-crs/crs-setup.conf.example /etc/modsecurity.d/modsecurity-crs/crs-setup.conf \
&& mv /etc/modsecurity.d/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/modsecurity.d/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;

COPY src-waf/opt/owasp-crs/modsecurity.conf /etc/modsecurity.d/modsecurity.conf
COPY src-waf/opt/owasp-crs/modsecurity-override.conf /etc/modsecurity.d/modsecurity-override.conf
COPY src-waf/opt/owasp-crs/setup.conf /etc/modsecurity.d/setup.conf

COPY src-waf/cert-watcher.sh /cert-watcher.sh

COPY motd /etc/motd

RUN echo " built:" $(date) >> /etc/motd \
RUN echo " built:" $(date) >> /etc/motd \
&& echo " branch: " $GITBRANCH >> /etc/motd \
&& echo " gittag: " $GITTAG >> /etc/motd \
&& echo " commit: " $GITCOMMIT >> /etc/motd \
Expand All @@ -76,4 +119,4 @@ RUN echo " built:" $(date) >> /etc/motd \
HEALTHCHECK CMD pgrep "nginx: master process"

ENTRYPOINT ["/docker-entrypoint-waf.sh"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
108 changes: 108 additions & 0 deletions .docker/Dockerfile-waf-alpine
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
ARG ubuntu_version="jammy"
FROM ubuntu:${ubuntu_version}

LABEL maintainer="USA.gov Web Ops"

ENV modsecurity_nginx_version="1.0.3"
ENV nginx_version="1.27.2"

ARG GITBRANCH
ENV GITBRANCH ${GITBRANCH:-none}

ARG GITCOMMIT
ENV GITCOMMIT ${GITCOMMIT:-none}

ARG GITTAG
ENV GITTAG ${GITTAG:-none}

ENV APP_NAME=USAGov \
PARANOIA=2 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
NGINX_KEEPALIVE_TIMEOUT=60s \
ERRORLOG=/var/log/nginx/error.log \
LOGLEVEL=warn \
USER=nginx \
PORT=80 \
SERVERNAME=locahost \
WORKER_CONNECTIONS=1024 \
MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
MODSEC_RULE_ENGINE=on \
MODSEC_REQ_BODY_ACCESS=on \
MODSEC_REQ_BODY_LIMIT=13107200 \
MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
MODSEC_RESP_BODY_ACCESS=on \
MODSEC_RESP_BODY_LIMIT=1048576 \
MODSEC_PCRE_MATCH_LIMIT=500000 \
MODSEC_PCRE_MATCH_LIMIT_RECURSION=500000

# RUN sed -i 's/^# deb-src./deb-src /' /etc/apt/sources.list
RUN sed -i 's/https/http/g' /etc/apk/repositories

RUN apk upgrade --update && \
apk add bash \
curl \
gettext \
inotify-tools \
jq \
make \
nano \
sed \
tar \
vim \
wget

# hadolint ignore=DL3008,SC2016
RUN set -eux; \
apk add --no-cache \
ca-certificates;

ARG modsecurity_path=/usr/local/src/modsecurity_nginx
RUN mkdir -p ${modsecurity_path}
WORKDIR ${modsecurity_path}
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${modsecurity_nginx_version}.tar.gz
RUN tar -xf v${modsecurity_nginx_version}.tar.gz && \
rm -f v${modsecurity_nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/
# RUN apk add --virtual .build-deps nginx

# RUN wget https://nginx.org/download/nginx-${nginx_version}.tar.gz && \
# tar -xf nginx-${nginx_version}.tar.gz && \
# rm -f nginx-${nginx_version}.tar.gz

# WORKDIR /usr/share/nginx/src/nginx-${nginx_version}

# RUN ./configure --add-dynamic-module=${modsecurity_path}/ModSecurity-nginx-${modsecurity_nginx_version} --with-compat && \
# make modules && \
# cp ./objs/ngx_http_modsecurity_module.so /ngx_http_modsecurity_module.so

# RUN apk del .build-deps

COPY src-waf/docker-entrypoint-waf.sh /
COPY src-waf/etc/ /etc/
COPY src-waf/opt/ /opt/
RUN rm -rf /opt/owasp-crs/tests;

RUN set -eux; \
mkdir /var/log/modsecurity && \
touch /var/log/modsecurity/modsec_audit.log;

COPY src-waf/opt/owasp-crs/modsecurity.conf /etc/modsecurity.d/modsecurity.conf
COPY src-waf/opt/owasp-crs/modsecurity-override.conf /etc/modsecurity.d/modsecurity-override.conf
COPY src-waf/opt/owasp-crs/setup.conf /etc/modsecurity.d/setup.conf
COPY src-waf/cert-watcher.sh /cert-watcher.sh

COPY motd /etc/motd

RUN echo " built:" $(date) >> /etc/motd \
&& echo " branch: " $GITBRANCH >> /etc/motd \
&& echo " gittag: " $GITTAG >> /etc/motd \
&& echo " commit: " $GITCOMMIT >> /etc/motd \
&& echo >> /etc/motd

HEALTHCHECK CMD pgrep "nginx: master process"

ENTRYPOINT ["/docker-entrypoint-waf.sh"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
63 changes: 63 additions & 0 deletions .docker/Dockerfile-waf-vote
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
ARG modsecurity_nginx_version="1.0.3"
ARG nginx_version="1.27.2"
ARG ubuntu_version="jammy"

FROM docker.io/ubuntu:${ubuntu_version}

ARG modsecurity_nginx_version
ARG nginx_version

RUN sed -i 's/^# deb-src./deb-src /' /etc/apt/sources.list

RUN apt-get update && \
apt-get install -y \
autoconf \
automake \
build-essential \
doxygen \
dpkg-dev \
gcc \
gettext \
libcurl4 \
libcurl4-openssl-dev \
libfuzzy-dev \
libgeoip-dev \
liblua5.3-dev \
libmodsecurity3 \
libmodsecurity-dev \
libpcre2-dev \
libpcre3 \
libpcre3-dev \
libtool \
libxml2 \
libxml2-dev \
libyajl-dev \
make \
pkg-config \
software-properties-common \
ssdeep \
uuid-dev \
wget

ARG modsecurity_path=/usr/local/src/modsecurity_nginx
RUN mkdir -p ${modsecurity_path}
WORKDIR ${modsecurity_path}
RUN wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v${modsecurity_nginx_version}.tar.gz
RUN tar -xf v${modsecurity_nginx_version}.tar.gz && \
rm -f v${modsecurity_nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/
RUN apt-get build-dep -y nginx

RUN wget https://nginx.org/download/nginx-${nginx_version}.tar.gz && \
tar -xf nginx-${nginx_version}.tar.gz && \
rm -f nginx-${nginx_version}.tar.gz

WORKDIR /usr/share/nginx/src/nginx-${nginx_version}

RUN ./configure --add-dynamic-module=${modsecurity_path}/ModSecurity-nginx-${modsecurity_nginx_version} --with-compat && \
make modules && \
cp ./objs/ngx_http_modsecurity_module.so /ngx_http_modsecurity_module.so

HEALTHCHECK NONE
USER nginx
9 changes: 9 additions & 0 deletions .docker/src-cron/etc/periodic/1min/cfevents.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
#!/usr/bin/env bash

SPACE=$1
if [ x$SPACE = x ]; then
SPACE=$(echo $VCAP_APPLICATION | jq -r '.space_name')
else
shift
fi

if [ x$CFEVENT_RUN = x ]; then
exit 0;
fi

source ~/.profile $SPACE event &> /dev/null

Expand Down
Loading

0 comments on commit ac0c8af

Please sign in to comment.