Clean up, update CRS

.dockerignore

@@ -0,0 +1,7 @@
+.git
+.github
+CODEOWNERS
+Dockerfile
+README.md
+compose.yaml
+renovate.json

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/coreruleset/modsecurity-crs:4.7.0-apache-alpine-202410090410
+FROM ghcr.io/coreruleset/modsecurity-crs:4.10.0-apache-alpine-202501050801
 
 ENV ACCESSLOG=/dev/stdout \
     ERRORLOG='"|/usr/bin/stdbuf -i0 -oL /opt/transform-alert-message.awk"' \
@@ -30,11 +30,13 @@ USER root
 RUN set -x && \
     # Install additional required tools \
     apk add --no-cache clamav-clamdscan coreutils gawk && \
-    # Disable all TLS related stuff (we'll have a reverse-proxy in front of us \
-    # doing TLS termination) Also see the amended ./conf/httpd-vhosts.conf \
-    # file. \
-    sed -i '/generate-certificate/d' /docker-entrypoint.sh && \
+    # Restore AWK symlink - the entrypoint script assumes busybox awk, while \
+    # our transform-alert-message script assumes GNU awk. \
+    ln -sfv /bin/busybox /usr/bin/awk && \
+    # We terminate TLS on the proxy; so remove all SSL config from the vhosts \
+    sed -i '/<VirtualHost \*:${SSL_PORT}>/,/<\/VirtualHost>/d' /usr/local/apache2/conf/extra/httpd-vhosts.conf && \
     sed -i '/Include .*httpd-ssl.conf/d' /usr/local/apache2/conf/httpd.conf && \
+    sed -i '/^\/usr\/local\/bin\/generate-certificate/d' /docker-entrypoint.sh && \
     # Disable CRS plugin system \
     sed -i '/activate-plugins/d' /docker-entrypoint.sh && \
     # Disable customized logging configuration - we'll configure this in \
@@ -44,23 +46,17 @@ RUN set -x && \
 # Fix Permissions
 # On OpenShift, the container will be started with a random UID and GID 0, so
 # we have to make some directories group-writeable.
-RUN chown -R 0:0 \
-        /usr/local/apache2/logs \
-        /opt/owasp-crs \
-        && \
-    chmod g+w \
-        /usr/local/apache2/logs \
-        /opt/owasp-crs
+RUN chown -R 0:0 /opt/owasp-crs && \
+    chmod -R g+w /opt/owasp-crs
 
 # Customized configuration files
-COPY transform-alert-message.awk virus-check.pl /opt/
-COPY clamd.conf /etc/clamav/clamd.conf
-COPY conf/* /usr/local/apache2/conf/extra/
+COPY opt/* /opt/
+COPY clamd-config/* /etc/clamav/
+COPY apache-config/* /usr/local/apache2/conf/extra/
 COPY modsecurity.d/setup.conf /etc/modsecurity.d/setup.conf
 
 # Custom ModSecurity rules
 COPY ./custom-rules/before-crs.dist /opt/modsecurity/rules/before-crs.dist
 COPY ./custom-rules/after-crs.dist /opt/modsecurity/rules/after-crs.dist
 
-
 USER 956947:0

README.md

@@ -17,7 +17,7 @@ See [ghcr.io/vshn/modsecurity-docker](https://github.com/vshn/modsecurity-docker
 
 ## Development
 
-A very basic Docker Compose setup including this container with `httpbin` as the backend. To start it, run:
+A very basic Docker Compose setup including this container with `httpbun` as the backend. To start it, run:
 
 ```sh
 docker compose up

compose.yml

@@ -6,8 +6,23 @@ services:
     ports:
       - "127.0.0.1:8080:8080"
     environment:
-      BACKEND: "http://backend:9000"
+      BACKEND: "http://backend:8080"
+
+    # Simulate OpenShift by using a random UID and GID, as well as GID 0
+    user: "1001140000:1001140000"
+    group_add:
+      - root
+
+    # Simulate an emptyDir volume. Required for apache to write its PID file
+    tmpfs:
+      - "/usr/local/apache2/logs:mode=770"
+
+    develop:
+      watch:
+        - action: rebuild
+          path: .
 
   backend:
-    image: "docker.io/kennethreitz/httpbin"
-    command: ["gunicorn", "-b", "0.0.0.0:9000", "httpbin:app", "-k", "gevent"]
+    image: "docker.io/sharat87/httpbun:latest"
+    environment:
+      HTTPBUN_BIND: "0.0.0.0:8080"