Table of contents generated with markdown-toc
This is a docker image to run a WAF as proxy based on ModSecurity and Core Rules set (CRS) official image.
Using the official OWASP image for ModSecurity-CRS as a base image. The default entrypoint has been changed to supervisord. It's configured to start nginx and php-fpm, initially. Check the Supervisord section for more information.
src directory structure:
├── Dockerfile
├── docker-entrypoint.sh
├── etc
│ ├── modsecurity.d
│ │ └── modsecurity-override.conf
│ ├── nginx
│ │ └── templates
│ │ ├── conf.d
│ │ │ └── default.conf.template
│ │ └── nginx.conf.template
│ ├── supervisor.d
│ │ ├── start_crond.conf
│ │ ├── start_nginx.conf
│ │ └── start_php-fpm.conf
│ └── supervisord.conf
├── html
│ └── 403_error.php
├── server
│ ├── Dockerfile
│ ├── app.py
│ ├── docker-compose.yml
│ ├── requirements.txt
│ └── rules
│ ├── default
│ │ ├── REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
│ │ └── RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
│ └── template
│ ├── REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
│ └── RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
└── sync-crs-rules.sh
| File name | Description |
|---|---|
docker-entrypoint.sh |
entrypoint script |
Dockerfile |
dockerfile |
etc/nginx/templates/nginx.conf.template |
nginx.conf template file |
etc/nginx/templates/conf.d/default.conf.template |
nginx default.conf template file |
etc/supervisord.conf |
supervisord configuration |
etc/supervisor.d/start_crond.conf |
supervisor configuration for crond |
etc/supervisor.d/start_nginx.conf |
supervisor configuration for nginx |
etc/supervisor.d/start_php-fpm.conf |
supervisor configuration for php-fpm |
html/403_error.php |
custom error page |
sync-crs-rules.sh |
script to sync crs rules from a github repo |
The script /sync-crs-rules.sh will sync the CRS rules from a CRS_RULES_SERVER.
| Name | Description |
|---|---|
HOSTNAME |
Hostname that will be used to query CRS_RULES_SERVER |
CRS_RULES_SYNC |
enable/disable the sync of the CRS rules from a github repo |
CRS_RULES_SERVER |
server that serves the modesec rules (example server given in src/server |
CRS_RULES_BRANCH |
branch name to sync the CRS rules from. default: main |
The CRS file are in rules directory and mounted in the container at /opt/owasp-crs/rules by docker-compose
You can set all the environment variables from the official image
The default configuration for supervisor is in etc/supervisord.conf.
The plugin supervisor-stdout is installed to redirect the output of the processes to stdout.
The supervisor load the configuration files from the folder etc/supervisor.d.
Configuration example file for a new service:
[program:nginx]
command=<command to run> # if possible use --no-daemon mode.
stdout_events_enabled = true
stderr_events_enabled = true
autostart=true
Copy to etc/supervisor.d/start_<service>.conf to allow supervisor to load the configuration.
References: