# syntax=docker/dockerfile:1 ## ## Build ## FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS build WORKDIR /usr/local/src ARG VERSION="1.25.4" ARG MODSEC_VER=3.0.12 ARG MODSEC_NGX_VER=1.0.3 ARG OWASP_CRS_VER=4.0.0 ### Fetch Build Dependencies COPY patch /usr/local/src/patch RUN set -xeu && \ apk --no-cache add \ autoconf \ automake \ build-base \ libtool \ musl-utils \ util-linux \ util-linux-dev \ tar \ openssl-dev \ pcre2-dev \ linux-headers \ libatomic_ops-dev \ zlib-dev \ libaio-dev \ bash \ alpine-sdk \ cmake \ git \ findutils \ pkgconf \ #mod security byacc \ flex \ libxml2-dev \ lmdb-dev \ yajl-dev \ zlib-dev \ libfuzzy2-dev RUN set -xeu && \ mkdir -p /usr/local/src/modsecurity && \ wget -qO - "https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${MODSEC_VER}/modsecurity-v${MODSEC_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity && \ cd /usr/local/src/modsecurity && \ ./build.sh && \ ./configure \ --prefix=/opt/modsecurity \ # --disable-debug-logs \ --with-pcre2=yes \ --with-libxml=yes \ --with-curl=no \ --with-ssdeep=yes \ --with-lmdb=yes \ --with-yajl=yes \ --with-lua=no \ --with-geoip=no \ --with-maxmind=no \ --disable-examples \ --disable-doxygen-doc \ && \ CFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \ CPPFLAGS="-Wno-error -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \ LDLAGS='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \ make -j `nproc` && \ make install && \ find /opt/modsecurity && \ ldd /opt/modsecurity/lib/libmodsecurity.so && \ rm -fr \ /opt/modsecurity/lib/libmodsecurity.a && \ /opt/modsecurity/lib/libmodsecurity.la RUN set -xeu && \ mkdir -p /usr/local/src/modsecurity-nginx && \ wget -qO - "https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${MODSEC_NGX_VER}/modsecurity-nginx-v${MODSEC_NGX_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/modsecurity-nginx RUN set -xeu && \ mkdir -p /opt/owasp-crs && \ wget -qO - "https://github.com/coreruleset/coreruleset/archive/refs/tags/v${OWASP_CRS_VER}.tar.gz" | tar -zxf - --strip-components=1 -C /opt/owasp-crs && \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf RUN set -xeu && \ git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli && \ cd ngx_brotli/deps/brotli && \ mkdir out && \ cd out && \ # -DCMAKE_CXX_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \ cmake \ -DCMAKE_BUILD_TYPE=Release \ -DBUILD_SHARED_LIBS=OFF \ -DCMAKE_C_FLAGS="-O3 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \ -DCMAKE_INSTALL_PREFIX=./installed .. \ && \ cmake --build . --config Release --target brotlienc # git clone https://github.com/yaoweibin/nginx_upstream_check_module && \ RUN set -xeu && \ git clone https://github.com/openresty/headers-more-nginx-module RUN set -xeu && \ mkdir -p /usr/local/src/nginx && \ wget -qO - "https://nginx.org/download/nginx-${VERSION}.tar.gz" | tar -zxf - --strip-components=1 -C /usr/local/src/nginx && \ cd /usr/local/src/nginx && \ for i in /usr/local/src/patch/*.patch; do \ echo "Applying ${i}..." && \ patch -Np1 -i "$i"; \ done && \ MODSECURITY_LIB="/opt/modsecurity/lib" \ MODSECURITY_INC="/opt/modsecurity/include" \ ./configure \ --build="amazing from here" \ --with-cc-opt="-Wno-error -DTCP_FASTOPEN=23 -O2 -flto -ffat-lto-objects -funsafe-math-optimizations -fstack-protector -fcode-hoisting -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" \ --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -Wl,--as-needed -pie -Wl,-z,relro -Wl,-z,now -Wl,-Bsymbolic -Wl,--gc-sections -fPIC -flto=auto -ffat-lto-objects' \ --prefix=/opt/nginx \ --add-module=/usr/local/src/headers-more-nginx-module \ --add-module=/usr/local/src/ngx_brotli \ --add-dynamic-module=/usr/local/src/modsecurity-nginx \ --modules-path=modules \ --conf-path=etc/nginx.conf \ --pid-path=tmp/nginx.pid \ --lock-path=tmp/nginx.lock \ --without-select_module \ --without-poll_module \ --with-threads \ --with-file-aio \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_v3_module \ --with-http_realip_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --without-http_ssi_module \ --without-http_userid_module \ --without-http_auth_basic_module \ --without-http_fastcgi_module \ --without-http_uwsgi_module \ --without-http_scgi_module \ --without-http_memcached_module \ --without-http_browser_module \ --http-client-body-temp-path=tmp/client_body \ --http-proxy-temp-path=tmp/proxy \ --without-mail_smtp_module \ --without-mail_imap_module \ --without-mail_pop3_module \ --with-stream=dynamic \ --with-stream_ssl_module \ --with-stream_realip_module \ --with-stream_ssl_preread_module \ --with-pcre \ --with-pcre-jit \ --with-libatomic && \ make -j `nproc` && \ make install && \ ldd /opt/nginx/sbin/nginx && \ # find /opt/nginx/modules -type f -name '*.so' -print0 |awk -F'\0' '{printf("echo \"library %s\";ldd \"%s\"\n",$0,$0)}' |sh && \ find /opt/nginx && \ cat /opt/nginx/etc/nginx.conf && \ rm -r /opt/nginx/html/ && \ mkdir /opt/nginx/etc/conf.d/ && \ mkdir -p /opt/nginx/html/ && \ install -m644 html/index.html /opt/nginx/html/ && \ install -m644 html/50x.html /opt/nginx/html/ && \ ln -sf /dev/stdout /opt/nginx/logs/access.log && \ ln -sf /dev/stderr /opt/nginx/logs/error.log && \ cd /opt/nginx && \ rm \ etc/fastcgi_params \ etc/fastcgi_params.default \ etc/fastcgi.conf \ etc/fastcgi.conf.default \ etc/uwsgi_params \ etc/uwsgi_params.default \ etc/scgi_params \ etc/scgi_params.default && \ ldd sbin/nginx && \ strip -X -x -s -v sbin/nginx RUN set -xeu && \ mkdir /opt/modsecurity/etc && \ mkdir -p /opt/nginx/logs/audit && \ cp -af /usr/local/src/modsecurity/modsecurity.conf-recommended /opt/modsecurity/etc/modsecurity.conf && \ cp -af /usr/local/src/modsecurity/unicode.mapping /opt/modsecurity/etc/unicode.mapping ## ## PKG ## FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/alpine-base:3.19-latest AS pkg RUN set -xeu && \ mkdir pkgs output &&\ apk --no-cache \ fetch -R -o pkgs \ openssl \ pcre2 \ zlib \ musl-utils \ #modsecurity xz-libs \ libxml2 \ libfuzzy2 \ lmdb \ yajl \ libstdc++ \ && \ rm -f \ pkgs/busybox-*.apk \ pkgs/ca-certificates-*.apk \ pkgs/libcrypto3-*.apk \ pkgs/libssl3-*.apk \ pkgs/ssl_client-*.apk && \ find pkgs -type f -name '*.apk' -print0 |awk -F'\0' '{printf("echo \"extracting %s\";tar -zxf \"%s\" -C output || exit 1\n",$0,$0)}' |sh && \ find output -type f -name '.*' -delete ## ## Deploy ## FROM harbor.repository.lb.home.dc.internal.amuz.es/infrastructure/minimal-toolbox:3.19-latest COPY --from=build /opt/nginx /opt/nginx COPY --from=build /opt/owasp-crs /opt/owasp-crs COPY --from=build /opt/modsecurity /opt/modsecurity COPY --from=pkg output /pkg COPY --from=build /opt/nginx /opt/nginx COPY modsecurity.d /opt/modsecurity/etc RUN set -xeu && \ cp -af /pkg/* / && \ rm -rf /pkg RUN set -xeu && \ mkdir /docker-entrypoint.d COPY nginx.conf /opt/nginx/etc/nginx.conf COPY nginx.vh.no-default.conf /opt/nginx/etc/conf.d/default.conf COPY docker-entrypoint.sh / COPY /docker-entrypoint.d /docker-entrypoint.d RUN set -xeu && \ mkdir -p /usr/local/sbin && \ ln -sf /opt/nginx/sbin/nginx /usr/local/sbin/nginx && \ mkdir -p /opt/nginx/etc/templates \ /opt/nginx/etc/stream-conf.d \ /opt/nginx/etc/conf.d \ /opt/nginx/tmp \ /opt/nginx/logs && \ chown -R 1000:1000 \ /opt/nginx/etc \ /opt/nginx/tmp \ /opt/nginx/logs && \ ln -sf ./conf.d/core-extra /opt/nginx/etc/nginx.extra.conf WORKDIR /opt/nginx LABEL org.opencontainers.image.authors="Sangbum Kim " EXPOSE 8080 8443 8443/udp STOPSIGNAL SIGQUIT ENTRYPOINT [ "/sbin/tini", "-s", "--", "/docker-entrypoint.sh"] USER 1000:1000 VOLUME ["/opt/nginx/etc/conf.d", "/opt/nginx/html", "/opt/nginx/tmp", "/opt/nginx/logs"] ENV PATH="/opt/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" CMD ["nginx", "-g", "daemon off;"]