Closed fzipi closed 1 year ago
Manual tests:
❯ docker run -it owasp/modsecurity-crs:3.3.4-apache-202302270302
/usr/local/bin/generate-certificate: generating new certificate
/usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
[Mon Feb 27 15:59:57.407678 2023] [ssl:error] [pid 1:tid 140629504445760] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 50992AECA374A461B89C748CC10C0AE0DE276530 / notbefore: Feb 27 15:59:57 2023 GMT / notafter: Feb 27 15:59:57 2024 GMT]
[Mon Feb 27 15:59:57.407812 2023] [ssl:error] [pid 1:tid 140629504445760] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Mon Feb 27 15:59:57.418932 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Mon Feb 27 15:59:57.418975 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Mon Feb 27 15:59:57.418981 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Mon Feb 27 15:59:57.418983 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: LUA compiled version="Lua 5.2"
[Mon Feb 27 15:59:57.418985 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: YAJL compiled version="2.1.0"
[Mon Feb 27 15:59:57.418987 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: LIBXML compiled version="2.9.10"
[Mon Feb 27 15:59:57.418990 2023] [security2:notice] [pid 1:tid 140629504445760] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Mon Feb 27 15:59:57.471282 2023] [ssl:error] [pid 1:tid 140629504445760] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 50992AECA374A461B89C748CC10C0AE0DE276530 / notbefore: Feb 27 15:59:57 2023 GMT / notafter: Feb 27 15:59:57 2024 GMT]
[Mon Feb 27 15:59:57.471332 2023] [ssl:error] [pid 1:tid 140629504445760] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Mon Feb 27 15:59:57.490456 2023] [mpm_event:notice] [pid 1:tid 140629504445760] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Mon Feb 27 15:59:57.490499 2023] [core:notice] [pid 1:tid 140629504445760] AH00094: Command line: 'httpd -D FOREGROUND'
❯ ./src/bin/generate-certificate /tmp/kkcert
./src/bin/generate-certificate: generating new certificate
./src/bin/generate-certificate: generated /tmp/kkcert/conf/server.key and /tmp/kkcert/conf/server.crt
❯ docker run -p 8443:443 -v /tmp/kkcert/conf/server.key:/usr/local/apache2/conf/server.key -v /tmp/kkcert/conf/server.crt:/usr/local/apache2/conf/server.crt -it owasp/modsecurity-crs:3.3.4-apache-202302270302
/usr/local/bin/generate-certificate: using existing key/certicate
[Mon Feb 27 16:05:02.827733 2023] [ssl:error] [pid 1:tid 140560098942272] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: D5FE440EDF7BD56F / notbefore: Feb 27 16:04:11 2023 GMT / notafter: Feb 27 16:04:11 2024 GMT]
[Mon Feb 27 16:05:02.827893 2023] [ssl:error] [pid 1:tid 140560098942272] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Mon Feb 27 16:05:02.840057 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Mon Feb 27 16:05:02.840099 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Mon Feb 27 16:05:02.840105 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Mon Feb 27 16:05:02.840107 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: LUA compiled version="Lua 5.2"
[Mon Feb 27 16:05:02.840109 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: YAJL compiled version="2.1.0"
[Mon Feb 27 16:05:02.840111 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: LIBXML compiled version="2.9.10"
[Mon Feb 27 16:05:02.840114 2023] [security2:notice] [pid 1:tid 140560098942272] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Mon Feb 27 16:05:02.897864 2023] [ssl:error] [pid 1:tid 140560098942272] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: D5FE440EDF7BD56F / notbefore: Feb 27 16:04:11 2023 GMT / notafter: Feb 27 16:04:11 2024 GMT]
[Mon Feb 27 16:05:02.897914 2023] [ssl:error] [pid 1:tid 140560098942272] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Mon Feb 27 16:05:02.911427 2023] [mpm_event:notice] [pid 1:tid 140560098942272] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations
[Mon Feb 27 16:05:02.911510 2023] [core:notice] [pid 1:tid 140560098942272] AH00094: Command line: 'httpd -D FOREGROUND'
docker run -p 8443:443 -it owasp/modsecurity-crs:3.3.4-nginx-202302270402
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-generate-certificate.sh
/usr/local/bin/generate-certificate: generating new certificate
/usr/local/bin/generate-certificate: generated /etc/nginx/conf/server.key and /etc/nginx/conf/server.crt
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template to /etc/nginx/modsecurity.d/modsecurity-override.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/setup.conf.template to /etc/nginx/modsecurity.d/setup.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/modsecurity.conf.template to /etc/nginx/conf.d/modsecurity.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/default.conf.template to /etc/nginx/conf.d/default.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/logging.conf.template to /etc/nginx/conf.d/logging.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/nginx.conf.template to /etc/nginx/nginx.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/cors.conf.template to /etc/nginx/includes/cors.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/proxy_backend.conf.template to /etc/nginx/includes/proxy_backend.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/location_common.conf.template to /etc/nginx/includes/location_common.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/02/27 16:29:36 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/920/0)
❯ docker run -p 8443:443 -v /tmp/kkcert/conf/server.key:/etc/nginx/conf/server.key -v /tmp/kkcert/conf/server.crt:/etc/nginx/conf/server.crt -it owasp/modsecurity-crs:3.3.4-nginx-202302270402
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-generate-certificate.sh
/usr/local/bin/generate-certificate: using existing key/certicate
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template to /etc/nginx/modsecurity.d/modsecurity-override.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/modsecurity.d/setup.conf.template to /etc/nginx/modsecurity.d/setup.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/modsecurity.conf.template to /etc/nginx/conf.d/modsecurity.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/default.conf.template to /etc/nginx/conf.d/default.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/conf.d/logging.conf.template to /etc/nginx/conf.d/logging.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/nginx.conf.template to /etc/nginx/nginx.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/cors.conf.template to /etc/nginx/includes/cors.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/proxy_backend.conf.template to /etc/nginx/includes/proxy_backend.conf
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/includes/location_common.conf.template to /etc/nginx/includes/location_common.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/02/27 17:36:26 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/920/0)
❯ sslscan localhost:8443
Version: 2.0.15-static
OpenSSL 1.1.1s 1 Nov 2022
Connected to ::1
Testing SSL server localhost on port 8443 using SNI name localhost
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Session renegotiation not supported
TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support
Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.2 128 bits secp256r1 (NIST P-256)
SSL Certificate: Signature Algorithm: ecdsa-with-SHA256 ECC Curve Name: prime256v1 ECC Key Strength: 128
Subject: localhost Issuer: localhost
Not valid before: Feb 27 16:01:32 2023 GMT Not valid after: Feb 27 16:01:32 2024 GMT
@theseion I don't think I want to go back to &&
in Dockerfiles anymore. All the other code is using the ;
and if we change this one we should change all. And I prefer the other way around.
Generating the certificate is so quick in this case, that I don't know if we want to skip it...
Fixes #106.