NGINX Docker Container Broken

[redRolf]

Since you latest update the following things do not work any more:

• There is no log output from the NGINX server to standard out
• The WAF no longer routes traffic to the configured endpoints
• The audit log is now longer created
• Custom error pages don't work

In short the image became unusable...

Why is this setup no longer working? I just don't understand why this no longer works, as there is an NGINX running in their some where...

Here are my Docker file and nginx.conf

Docker File

FROM owasp/modsecurity-crs:nginx

ENV ACCESSLOG=/var/log/nginx/access.log \
    BACKEND=http://localhost:80 \
    DNS_SERVER= \
    ERRORLOG=/var/log/nginx/error.log \
    LOGLEVEL=warn \
    METRICS_ALLOW_FROM='127.0.0.0/24' \
    METRICS_DENY_FROM='all' \
    METRICSLOG=/dev/null \
    MODSEC_AUDIT_ENGINE="RelevantOnly" \
    MODSEC_AUDIT_LOG_FORMAT=Native \
    MODSEC_AUDIT_LOG_TYPE=Serial \
    MODSEC_AUDIT_LOG=/var/log/modsecurity_audit.log \
    MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \
    MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \
    MODSEC_DATA_DIR=/tmp/modsecurity/data \
    MODSEC_DEBUG_LOG=/dev/null \
    MODSEC_DEBUG_LOGLEVEL=0 \
    MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,auditlog,tag:'\${MODSEC_TAG}'" \
    MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,auditlog,tag:'\${MODSEC_TAG}'" \
    MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \
    MODSEC_PCRE_MATCH_LIMIT=100000 \
    MODSEC_REQ_BODY_ACCESS=on \
    MODSEC_REQ_BODY_LIMIT=13107200 \
    MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
    MODSEC_RESP_BODY_ACCESS=on \
    MODSEC_RESP_BODY_LIMIT=1048576 \
    MODSEC_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \
    MODSEC_RULE_ENGINE=on \
    MODSEC_TAG=modsecurity \
    MODSEC_TMP_DIR=/tmp/modsecurity/tmp \
    MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \
    PORT=80 \
    PROXY_TIMEOUT=60s \
    PROXY_SSL_CERT_KEY=/etc/nginx/conf/server.key \
    PROXY_SSL_CERT=/etc/nginx/conf/server.crt \
    PROXY_SSL_VERIFY=off \
    SERVER_NAME=localhost \
    SSL_PORT=443 \
    TIMEOUT=60s \
    WORKER_CONNECTIONS=1024 \
    LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \
    MODSEC_REQ_BODY_LIMIT_ACTION=ProcessPartial

# Setup cron.
RUN apt-get --allow-releaseinfo-change update && apt-get install cron -y && apt-get clean

# Overwriting CRS Rules
COPY ./core_rule_set/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf /opt/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
COPY ./core_rule_set/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf /opt/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

# Copy NGINX configuration
COPY ./etc/nginx/sites-available /etc/nginx/sites-available
COPY ./etc/nginx/sites-enabled /etc/nginx/sites-enabled
COPY ./etc/nginx/nginx.conf /etc/nginx/nginx.conf.template
COPY ./etc/nginx/conf/default-server.conf /etc/nginx/conf/default-server.conf
COPY ./var/www /var/www

# Remove unused default configs
RUN rm /etc/nginx/conf.d/default.conf

# Copy self signed dev certs
COPY ./certs/WAF-DEV.key /usr/app/data/certs/1/1.intra-domain.tld/private.key
COPY ./certs/WAF-DEV.crt /usr/app/data/certs/1/1.intra-domain.tld/cert.pem
COPY ./certs/WAF-DEV.key /usr/app/data/certs/2/2.intra-domain.tld/private.key
COPY ./certs/WAF-DEV.crt /usr/app/data/certs/2/2.intra-domain.tld/cert.pem
COPY ./certs/WAF-DEV.key /usr/app/data/certs/3/3.intra-domain.tld/private.key
COPY ./certs/WAF-DEV.crt /usr/app/data/certs/3/3.intra-domain.tld/cert.pem
RUN chown -R nginx /usr/app/data/certs
RUN chmod -R 700 /usr/app/data/certs

# Setup the cron job for auto-reloading.
RUN echo "0 0 * * * root nginx -s reload" >> /etc/crontab

# Setup cron to automatically re-load the NGINX configuration daily.
CMD cron && nginx -g "daemon off;"

NGINX Conf

load_module modules/ngx_http_modsecurity_module.so;

user ${USER};
worker_processes 1;

pid /var/run/nginx.pid;

events {
    worker_connections ${WORKER_CONNECTIONS};
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" "$request_id"';

    modsecurity_transaction_id "$request_id";

    access_log /var/log/nginx/access.log main;
    access_log /dev/null combined;

    error_log /var/log/nginx/error.log warn;

    keepalive_timeout ${NGINX_KEEPALIVE_TIMEOUT};
    sendfile on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

[redRolf]

Changeing the image name to:

FROM owasp/modsecurity-crs@sha256:830e5cc033d3034771a830977bc6dcfdb57f3647edb1aa0dc9fad56e900ff779

Allowed me to use an older image that still worked.

[fzipi]

Hi @redRolf !

I'm sorry to hear that something is broken. To solve this, take a look here.

We will probably be porting that documentation part to this image.

Best, Felipe.

[fzipi]

In essence, you need to change this:

COPY ./etc/nginx/nginx.conf /etc/nginx/nginx.conf.template
COPY ./etc/nginx/conf/default-server.conf /etc/nginx/conf/default-server.conf

To something that keeps the structure you want under /etc/nginx/templates:

COPY ./etc/nginx/nginx.conf /etc/nginx/templates/nginx.conf.template
COPY ./etc/nginx/conf/default-server.conf /etc/nginx/templates/conf.d/default-server.conf

[redRolf]

@fzipi I am so sorry, I only got back to you now. But I finally found the time to fix the issue :) Your tips on changing the location and name of the nginx.conf helped a lot.

The final puzzle piece was though, that running CMD cron && nginx -g "daemon off;" at the end of the docker file no longer works with the new NGINX container.

any additional services that are to be startet along with the like crond in my case need to be placed in an entry point script, that is placed within then /docker-entrypoint.d/ directory, like so:

# Setup entrypoint scripts
# Scripts in ./docker-entrypoint.d/ are automatically executed by the new nginx entrypoint script, see: 
# https://github.com/nginxinc/docker-nginx/blob/master/entrypoint/docker-entrypoint.sh
COPY ./docker-entrypoint.d/*.sh /docker-entrypoint.d/
RUN chmod +x /docker-entrypoint.d/*.sh

Running any sort of CMD command when extending the new NGINX container breaks NGINX 😇

Thank you again for your help :) have a great week. Hope this helps some one.

[fzipi]

Excellent, good to know! I will add this to the general readme, for sure it might help someone!