modsecurity-crs-docker
modsecurity-crs-docker copied to clipboard
Running with non-root access with the nginx user
If anyone else is wondering how to use this image for in a non-root context then what worked for me in the Dockerfile:
...
# chown all modsecurity and nginx config files to the nginx user
RUN chown -R nginx:nginx /etc/nginx/
RUN chown -R nginx:nginx /opt/modsecurity/
RUN chown -R nginx:nginx /etc/modsecurity.d/
RUN chown -R nginx:nginx /opt/owasp-crs/
RUN chown -R nginx:nginx /usr/local/
USER nginx
...
Maybe it is possible to set up the base images so that all of the required directories are owned by nginx already?
Hi @archletekke ! Let me take a look at this one.
I don't think you need to change the whole /usr/local
directory to nginx... 🤔
@archletekke Can you try to following the documentation from upstream, the part that says "Running nginx as a non-root user", and let us know?
I guess that could work as well. My proposal was that the security-focused docker image could be non-root by default. Meaning that the crs docker image has the non-root config defined in its own dockerfile.
There might be another option: we could use https://hub.docker.com/r/nginxinc/nginx-unprivileged from upstream instead. Will check if this works out of the box for us.