在官方ngxin Dockerfile的基础上,增加ModSecurity V3版本作为WAF。
docker pull traceflight/nginx-with-waf
docker run -d -v /path/to/conf/:/etc/nginx/conf.d/ \
-v /path/to/log/:/var/log/nginx/ \
-p 80:80 -p 443:443 \
traceflight/nginx-with-waf
或使用docker compose,创建docker-compose.yml文件:
version: '3'
services:
nginx:
image: traceflight/nginx-with-waf
restart: always
volumes:
- /path/to/conf/:/etc/nginx/conf.d/
- /path/to/log/:/var/log/nginx/
ports:
- "80:80"
- "443:443"
运行如下命令:
docker-compose up -d
默认ModSecurity为开启状态,其使用的owasp-modsecurity-crs规则集有可能会阻断正常的应用数据,如需要关掉ModSecurity,则需要在网站的配置中增加如下语句:
modsecurity off;
可通过如下命令查看当前版本与Nginx官方Dockerfile的区别:
diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)
The dockerfile of this container has been copied from the official nginx repo (alpine-perl variant) and has been modified to add ModSecurity library (v3) + ModSecurity nginx connector + OWASP ModSecurity Core Rule Set (CRS)
You can refer to the official nginx image documentation for instructions on how to use this image.
When you provide your configuration you can enable modsecurity. Please refer to their wiki for documentation.
If you're curious to know the difference from this dockerfile and the upstream one:
diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)