modsecurity-crs-docker icon indicating copy to clipboard operation
modsecurity-crs-docker copied to clipboard

Published 20 hours ago verified publisher icon coreruleset

Running with non-root access with the nginx user

Open archletekke opened this issue 2 years ago • 6 comments

If anyone else is wondering how to use this image for in a non-root context then what worked for me in the Dockerfile:

...

# chown all modsecurity and nginx config files to the nginx user
RUN chown -R nginx:nginx /etc/nginx/
RUN chown -R nginx:nginx /opt/modsecurity/
RUN chown -R nginx:nginx /etc/modsecurity.d/
RUN chown -R nginx:nginx /opt/owasp-crs/
RUN chown -R nginx:nginx /usr/local/


USER nginx
...

archletekke avatar Jan 10 '22 18:01 archletekke

Maybe it is possible to set up the base images so that all of the required directories are owned by nginx already?

archletekke avatar Jan 10 '22 18:01 archletekke

Hi @archletekke ! Let me take a look at this one.

fzipi avatar Jan 17 '22 13:01 fzipi

I don't think you need to change the whole /usr/local directory to nginx... 🤔

fzipi avatar Jan 18 '22 13:01 fzipi

@archletekke Can you try to following the documentation from upstream, the part that says "Running nginx as a non-root user", and let us know?

fzipi avatar Jan 19 '22 18:01 fzipi

I guess that could work as well. My proposal was that the security-focused docker image could be non-root by default. Meaning that the crs docker image has the non-root config defined in its own dockerfile.

archletekke avatar Jan 24 '22 09:01 archletekke

There might be another option: we could use https://hub.docker.com/r/nginxinc/nginx-unprivileged from upstream instead. Will check if this works out of the box for us.

fzipi avatar Aug 28 '22 22:08 fzipi