modsecurity-crs-docker
modsecurity-crs-docker copied to clipboard
coreruleset
feat: enable running nginx containers with read-only root fs
@ne20002 @enibache This PR enables the use of read-only root fs. It's certainly not perfect but I din't want to rewrite the entire build setup and documentation. So for now you can run this image as follows with Docker:
docker run \
--rm \
--readonly \
--tmpfs /etc/nginx:rw,mode=777 \
--tmpfs /etc/modsecurity.d:rw,mode=777 \
--tmpfs /opt/owasp-crs:rw,mode=777 \
--tmpfs /tmp:rw,mode=777 \
--tmpfs /var/cache/nginx:rw,mode=777 \
owasp/modsecurity-crs:nginx
The container will copy files at startup to those tmpfs directories. In writeble root fs mode, the container behaves the same as before, in read-only mode, the tmpfs are required and the files will be copied there.
I'd appreciate some feedback.
You can build the image from this PR with (for example):
docker buildx bake --load --set "*.platform=linux/amd64" nginx
Sorry. I'm still fiddling with the 3.3.5 and can't get my exclusion for local ips get to work. Also, it seems as if there is no version 4 docker image available at hub.docker.com. I'd need to get it working first before I try to use it with a readonly setup.
Thanks for the hint @ne20002. We thought we had published the images but really didn't. I've created the PR to fix that.
Would be awesome, as im currently trying to enable Modsecurity correctly in k8s (before it was sadly copied from a default nginx, eg nginx -g 'daemon off;', which did not enabled any rules and was just a plain nginx)
Else i would to need to implement the workaroundish things myself
Well, I don't want to merge this without proper testing. Unless we create a root-only image variant, so that the other images continue to work. Maybe that would be the better approach anyway?
Hi @theseion I'm currently a bit busy. I got my Friendica setup working so far (still a few things to opimize) and will continue to update my Nextcloud setup (which seems to have a number of changes with the new plugin mechanism).