diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index c7b6bea7..2abe4c04 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -3,9 +3,7 @@ name: Verify Images on: pull_request: branches: - - master - - develop - + - main env: REPO: "owasp/modsecurity-crs" # sha256sum format: diff --git a/README.md b/README.md index faf9e3f3..e20f3503 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,12 @@ Examples: ## OS Variants -* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0* +* nginx – *latest stable ModSecurity v3 on Nginx 1.27.0 official stable base image, and latest stable OWASP CRS 4.3.0* * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile) * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) -* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0* +* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.3.0* * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine) -* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0* +* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.3.0* * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile) * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine) @@ -297,7 +297,8 @@ All these variables impact in configuration directives in the modsecurity engine | MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) | | PARANOIA | An integer indicating the paranoia level (Default: `1`) | | RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/`) | -| RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: `/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/`) | +| RESTRICTED_HEADERS_BASIC | A string indicating the restricted_headers_basic (Default: `/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/`) | +| RESTRICTED_HEADERS_EXTENDED | A string indicating the restricted_headers_extended (Default: `/accept-charset/`) | | STATIC_EXTENSIONS | A string indicating the static_extensions (Default: `/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/`) | | TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: `unlimited`) | | VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) | diff --git a/apache/Dockerfile b/apache/Dockerfile index 91a6f4a0..d37ed8ac 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -186,7 +186,6 @@ RUN set -eux; \ mkdir -p /tmp/modsecurity/data; \ mkdir -p /tmp/modsecurity/upload; \ mkdir -p /tmp/modsecurity/tmp; \ - chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity; \ mkdir -p /var/log/apache2/; \ ln -s /opt/owasp-crs /etc/modsecurity.d/; \ sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \ @@ -216,6 +215,7 @@ RUN set -eux; \ /var/log/ \ /usr/local/apache2/ \ /etc/modsecurity.d \ + /tmp/modsecurity \ /opt/owasp-crs USER httpd diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine index d56e0793..f5201279 100644 --- a/apache/Dockerfile-alpine +++ b/apache/Dockerfile-alpine @@ -215,11 +215,11 @@ RUN set -eux; \ mkdir -p /tmp/modsecurity/data; \ mkdir -p /tmp/modsecurity/upload; \ mkdir -p /tmp/modsecurity/tmp; \ - chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity /var/log/apache2; \ chown -R httpd:httpd \ /var/log/ \ /usr/local/apache2/ \ /etc/modsecurity.d \ + /tmp/modsecurity \ /opt/owasp-crs USER httpd diff --git a/docker-bake.hcl b/docker-bake.hcl index 7bd0a9ac..f937e67a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -11,12 +11,12 @@ variable "modsec2-version" { variable "crs-version" { # renovate: depName=coreruleset/coreruleset datasource=github-releases - default = "4.2.0" + default = "4.3.0" } variable "nginx-version" { # renovate: depName=nginxinc/nginx-unprivileged datasource=docker - default = "1.26.0" + default = "1.27.0" } variable "httpd-version" { diff --git a/docker-compose.yaml b/docker-compose.yaml index e1bd73ee..26951aa8 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -50,7 +50,8 @@ x-defaults: &default-settings # ALLOWED_REQUEST_CONTENT_TYPE_CHARSET: 'utf-8|iso-8859-1|iso-8859-15|windows-1252' # ALLOWED_HTTP_VERSIONS: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 # RESTRICTED_EXTENSIONS: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ - # RESTRICTED_HEADERS: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ + # RESTRICTED_HEADERS_BASIC: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ + # RESTRICTED_HEADERS_EXTENDED: /accept-charset/ # STATIC_EXTENSIONS: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ ####################################################### diff --git a/src/opt/modsecurity/activate-rules.sh b/src/opt/modsecurity/activate-rules.sh index 3dc797ba..a88e1509 100755 --- a/src/opt/modsecurity/activate-rules.sh +++ b/src/opt/modsecurity/activate-rules.sh @@ -59,9 +59,14 @@ if [ -n "${RESTRICTED_EXTENSIONS}" ]; then sed -z -E -i 's|#SecAction[^"]+"id:900240.*\x27tx\.restricted_extensions=[[:lower:][:space:]./]*\/\x27\"|SecAction \\\n \"id:900240, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_extensions='"${RESTRICTED_EXTENSIONS}"'\x27\"|' "${setup_conf_path}" fi -# Forbidden request headers. -if [ -n "${RESTRICTED_HEADERS}" ]; then - sed -z -E -i 's|#SecAction[^"]+"id:900250.*\x27tx\.restricted_headers=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900250, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers='"${RESTRICTED_HEADERS}"'\x27\"|' "${setup_conf_path}" +# Forbidden request headers basic. +if [ -n "${RESTRICTED_HEADERS_BASIC}" ]; then + sed -z -E -i 's|#SecAction[^"]+"id:900250.*\x27tx\.restricted_headers_basic=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900250, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers_basic='"${RESTRICTED_HEADERS_BASIC}"'\x27\"|' "${setup_conf_path}" +fi + +# Forbidden request headers extended. +if [ -n "${RESTRICTED_HEADERS_EXTENDED}" ]; then + sed -z -E -i 's|#SecAction[^"]+"id:900255.*\x27tx\.restricted_headers_extended=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900255, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers_extended='"${RESTRICTED_HEADERS_EXTENDED}"'\x27\"|' "${setup_conf_path}" fi # File extensions considered static files.