feat: enable running nginx containers with read-only root fs

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images

https://coreruleset.org

Apache License 2.0

269 stars 69 forks source link

feat: enable running nginx containers with read-only root fs #210

Open theseion opened 7 months ago

theseion commented 7 months ago

Refs #172

theseion commented 7 months ago

@ne20002 @enibache This PR enables the use of read-only root fs. It's certainly not perfect but I din't want to rewrite the entire build setup and documentation. So for now you can run this image as follows with Docker:

docker run \
  --rm \
  --readonly \
  --tmpfs /etc/nginx:rw,mode=777 \
  --tmpfs /etc/modsecurity.d:rw,mode=777 \
  --tmpfs /opt/owasp-crs:rw,mode=777 \
  --tmpfs /tmp:rw,mode=777 \
  --tmpfs /var/cache/nginx:rw,mode=777 \
  owasp/modsecurity-crs:nginx

The container will copy files at startup to those tmpfs directories. In writeble root fs mode, the container behaves the same as before, in read-only mode, the tmpfs are required and the files will be copied there.

I'd appreciate some feedback.

You can build the image from this PR with (for example):

docker buildx bake --load --set "*.platform=linux/amd64" nginx

theseion commented 7 months ago

Yes. I just wanted to get feedback first.

ne20002 commented 7 months ago

Sorry. I'm still fiddling with the 3.3.5 and can't get my exclusion for local ips get to work. Also, it seems as if there is no version 4 docker image available at hub.docker.com. I'd need to get it working first before I try to use it with a readonly setup.

theseion commented 7 months ago

Thanks for the hint @ne20002. We thought we had published the images but really didn't. I've created the PR to fix that.

theseion commented 7 months ago

@ne20002 The 4.0 images are now available.

fzipi commented 5 months ago

Can we close this now?

Serverfrog commented 5 months ago

Would be awesome, as im currently trying to enable Modsecurity correctly in k8s (before it was sadly copied from a default nginx, eg nginx -g 'daemon off;', which did not enabled any rules and was just a plain nginx)

Else i would to need to implement the workaroundish things myself

theseion commented 5 months ago

Well, I don't want to merge this without proper testing. Unless we create a root-only image variant, so that the other images continue to work. Maybe that would be the better approach anyway?

ne20002 commented 5 months ago

Hi @theseion I'm currently a bit busy. I got my Friendica setup working so far (still a few things to opimize) and will continue to update my Nextcloud setup (which seems to have a number of changes with the new plugin mechanism).