Skip to content

Docker file from nginx:alpine with ModSecurity (lib v3)

Notifications You must be signed in to change notification settings

traceflight/nginx-with-waf

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Nginx with WAF

官方ngxin Dockerfile的基础上,增加ModSecurity V3版本作为WAF。

使用方法

下载镜像

docker pull traceflight/nginx-with-waf

运行

docker run -d -v /path/to/conf/:/etc/nginx/conf.d/ \
              -v /path/to/log/:/var/log/nginx/ \
              -p 80:80 -p 443:443 \
              traceflight/nginx-with-waf

或使用docker compose,创建docker-compose.yml文件:

version: '3'
services:
 nginx:
    image: traceflight/nginx-with-waf
    restart: always
    volumes:
      - /path/to/conf/:/etc/nginx/conf.d/
      - /path/to/log/:/var/log/nginx/
    ports:
      - "80:80"
      - "443:443"

运行如下命令:

docker-compose up -d

Waf配置

默认ModSecurity为开启状态,其使用的owasp-modsecurity-crs规则集有可能会阻断正常的应用数据,如需要关掉ModSecurity,则需要在网站的配置中增加如下语句:

modsecurity off;

依赖项目

与官方Dockerfile的区别

可通过如下命令查看当前版本与Nginx官方Dockerfile的区别:

diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)

NGINX with libModSecurity + ModSecurity-nginx connector + OWASP ModSecurity Core Rule Set (CRS)

The dockerfile of this container has been copied from the official nginx repo (alpine-perl variant) and has been modified to add ModSecurity library (v3) + ModSecurity nginx connector + OWASP ModSecurity Core Rule Set (CRS)

You can refer to the official nginx image documentation for instructions on how to use this image.

When you provide your configuration you can enable modsecurity. Please refer to their wiki for documentation.

Extras

If you're curious to know the difference from this dockerfile and the upstream one:

diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)