modsecurity-crs-docker
modsecurity-crs-docker copied to clipboard
coreruleset
owasp/modsecurity-crs:{nginx/apache} as a standalone webserver
Hello, I am getting hard to run a quick apache/nginx webserver + waf for demonstration purposes, I would prefer to use owasp/modsecurity image as a standalone server rather than a reverse proxy, I followed the documentation for both modsecurity with and without crs, but no success. here is my issues:
docker run -p 8080:80 -owasp/modsecurity-crs:nginx-alpine
after running the above command, under localhost:8080 nginx always services 50x.html rather than index.html
curl -v localhost:8080
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:13:19 GMT
< Content-Type: text/html
< Content-Length: 494
< Connection: keep-alive
< ETag: "6193c877-1ee"
I've tried to map public_html directory to modify/add my own indexes
docker run -p 8080:80 -v myPATH:/usr/share/nginx/html/ -owasp/modsecurity-crs:nginx-alpine
the container provides only these two files:
ls -lah myPath
-rw-r--r-- 1 root root 1.0M Feb 23 22:24 modsec-shared-collections
-rw-r--r-- 1 root root 8.0K Feb 23 22:24 modsec-shared-collections-lock
the GET result of localhost:8080
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:25:31 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive
I've also tried different supported variants, and changed environment variables, but no success. the Apache variant serves nothing and ended up in an endless loop!
From what I understand, the images meant to be an easy implementation. am I missing something? or the images should be used only as reverse proxy?
appreciate any help regards.
Hi @Captainzalad, sorry for the delay. As a matter of fact, this was a feature in the past.
If you look at https://github.com/coreruleset/modsecurity-crs-docker#notes-regarding-reverse-proxy, it should be supported. But looking at the implementation, it is clearly not supported anymore 🤔 .
Now reverse proxy is the default mode. What I can do is create a new EMBEDDED mode, that should work as you expect. Give me a couple days to work it out.
Some of the fixes I'm working will collide with my solution for this, so I'm pushing this a bit further in time.
I'm pretty sure it is possible to use the owasp/modsecurity-crs in standalone mode. This is what I did:
I have two pods (using podman instead of docker, but I'm sure that does not matter here): one with Nextcloud, the other with Friendica. Both used an nginx as web server in front of the php-fpm image.
- I replaced the nginx container with the owasp:modsecurity.crs. It worked out of the box, as
- the nginx.conf is unchanged and mapped in the container in /etc/nginx/nginx.conf
- The owasp/modsecurity-crs container however required the nginx.conf to be writable so I can't mount it ro mode. But it did not any changes to the file.
- I added the necessary lines to include modsecurity into the nginx.conf
- I did not pass any of the env variables documented in hub.docker.com for the owasp/modsecurity-crs container That's it.
