uc-cdis · AidanHilt · Nov 8, 2024 · Nov 22, 2024 · Dec 20, 2024 · Jan 10, 2025
diff --git a/.github/workflows/image_build_push.yaml b/.github/workflows/image_build_push.yaml
@@ -1,13 +1,23 @@
 name: Build Image and Push
 
-on: push
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag to apply to this build. Defaults to 'latest'."
+        default: "latest"
+        required: false
+  schedule:
+    - cron: '0 0 * * 0' # Weekly on Sunday at 00:00
+  push:
 
 jobs:
   ci:
     name: Build Image and Push
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       OVERRIDE_REPO_NAME: "nginx"
+      BUILD_PLATFORMS: "linux/amd64"
     secrets:
       ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
       ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,78 +1,87 @@
-FROM quay.io/cdis/ubuntu:18.04
+ARG AZLINUX_BASE_VERSION=master
 
-#
-# point at nginx apt package repo, and install nginx,
-# pre-package modules, and build dependencies
-# https://nginx.org/en/linux_packages.html#Ubuntu
-#
-RUN apt-get update && \
-    apt -y install curl gnupg2 ca-certificates lsb-release git less libyajl-dev logrotate && \
-    echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
-    | tee /etc/apt/sources.list.d/nginx.list && \
-    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
-    | tee /etc/apt/sources.list.d/nginx.list && \
-    curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -&& \
-    apt-key fingerprint ABF5BD827BD9BF62 && \
-    apt update && \
-    apt install nginx=1.19.10-1~bionic nginx-module-njs=1.19.10+0.5.3-1~bionic nginx-module-perl=1.19.10-1~bionic -y && \
-    apt-get install -y dnsutils git wget build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf vim && \
-    apt clean && \
-    ln -sf /dev/stdout /var/log/nginx/access.log && \
-	  ln -sf /dev/stderr /var/log/nginx/error.log && \
-    ln -sf /dev/stdout /var/log/modsec_audit.log
+# For local development
+FROM quay.io/cdis/amazonlinux-base:${AZLINUX_BASE_VERSION}
 
-#
-# Put compiled module source under /usr/src
-#
-WORKDIR /usr/src
+LABEL name="revproxy-nginx-modsec"
 
-#
-# build libmodsecurity
-#    https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
-#
-RUN git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/src/modsecurity && \
-	cd /usr/src/modsecurity && \
-  git submodule init && \
-  git submodule update && \
-	./build.sh && \
-	./configure && \
-	make && \
-  make install
+# Install all necessary packages in one layer
+RUN dnf update -y && \
+    dnf install -y \
+    nginx \
+    gcc \
+    gcc-c++ \
+    git \
+    make \
+    automake \
+    autoconf \
+    libtool \
+    libxml2-devel \
+    pcre-devel \
+    curl-devel \
+    yajl-devel \
+    doxygen \
+    zlib-devel \
+    lmdb-devel \
+    flex \
+    bison \
+    yum-utils \
+    wget \
+    tar \
+    --setopt=install_weak_deps=False \
+    --setopt=tsflags=nodocs && \
+    dnf clean all && \
+    rm -rf /var/cache/yum
 
-#
-# download nginx headers-more module:
-#    https://github.com/openresty/headers-more-nginx-module
-#
-# download the modsecurity nginx connector
-#   https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/#    https://drive.google.com/drive/u/1/folders/1ky_9gL_stSEHupRty6EjFBefRPW4qJGj
-#
-#
-RUN wget https://github.com/openresty/headers-more-nginx-module/archive/v0.34.tar.gz && \
-	tar xvzf v0.34.tar.gz && \
-  git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
+# Set working directory
+WORKDIR /opt
 
-#
-# download nginx source, and build the nginx modules
-#   https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/
-#
-RUN nginver=$(nginx -v 2>&1 | awk -F / '{ print $2 }') && \
-    wget http://nginx.org/download/nginx-${nginver}.tar.gz && \
-    tar zxvf nginx-${nginver}.tar.gz && \
-    cd nginx-$nginver && \
-    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../headers-more-nginx-module-0.34 && \
+# Clone and install ModSecurity
+RUN git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity && \
+    cd ModSecurity && \
+    git submodule init && \
+    git submodule update && \
+    ./build.sh && \
+    ./configure && \
+    make && \
+    make install && \
+    cd ..
+
+# Get Nginx version and source
+RUN NGINX_VERSION=$(nginx -v 2>&1 | cut -d '/' -f 2) && \
+    wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && \
+    tar zxvf nginx-${NGINX_VERSION}.tar.gz
+
+# Clone ModSecurity-nginx connector
+RUN git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
+
+# Compile Nginx with ModSecurity module
+RUN NGINX_VERSION=$(nginx -v 2>&1 | cut -d '/' -f 2) && \
+    cd nginx-${NGINX_VERSION} && \
+    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx && \
     make modules && \
-    cp objs/*.so /etc/nginx/modules
+    mkdir -p /usr/lib64/nginx/modules/ && \
+    cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/
+
+# Set up ModSecurity configuration
+RUN mkdir -p /etc/nginx/modsec && \
+    cd /etc/nginx/modsec && \
+    git clone https://github.com/coreruleset/coreruleset.git && \
+    mv coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf && \
+    mv coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \
+       coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf && \
+    cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf && \
+    sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
+
+# Configure Nginx to use ModSecurity
+RUN echo 'load_module modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules.conf && \
+    echo 'modsecurity on;' > /etc/nginx/conf.d/modsecurity.conf && \
+    echo 'modsecurity_rules_file /etc/nginx/modsec/main.conf;' >> /etc/nginx/conf.d/modsecurity.conf && \
+    echo 'Include /etc/nginx/modsec/modsecurity.conf' > /etc/nginx/modsec/main.conf && \
+    echo 'Include /etc/nginx/modsec/coreruleset/crs-setup.conf' >> /etc/nginx/modsec/main.conf && \
+    echo 'Include /etc/nginx/modsec/coreruleset/rules/*.conf' >> /etc/nginx/modsec/main.conf
 
-#
-# Uncomment to include CIS Assessor tools:
-#    https://workbench.cisecurity.org/
-#
-# Note: build fails in quay with .zip COPY, but can
-#   build a local image for test/cis/ or to push.
-#
-#COPY Assessor-CLI-v4.0.17.zip /mnt/Assessor-CLI/
-#RUN apt update && apt install openjdk-11-jre rsync zip unzip -y && apt clean;
 
 EXPOSE 80
 STOPSIGNAL SIGTERM
-CMD nginx -g 'daemon off;'
+# CMD nginx -g 'daemon off;'