github-actions[bot]
commented
2 years ago Open bloodyburger opened 2 years ago
github-actions[bot]
commented
2 years ago github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stellarpower
commented
2 years ago I'm working on adding the required packages to Alpine; I have pushed initial commits and will add a comment here once at the stage to open an MR in their package system. I believe lsio may consider adding this but only when alpine packages are available as nginx isn't built from source as it is with other projects. In the meantime I am working on a fork here that will use the built packages for an initial setup.
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
davidecavestro
commented
2 years ago Log4Shell hurry-up
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
lordraiden
commented
2 years ago @stellarpower
Any news about modsecurity and csr?
Maybe some code can be taken from this project that has no activity https://github.com/bunkerity/bunkerized-nginx
stellarpower
commented
2 years ago Afraid not. I have an image built here for any who want to try: registry.gitlab.com/stellarpower/open-container-repository/docker-swag/add-modsecurity-with-manual-packages:1.18.0
I'm waiting on Alpine ot hear back. IIRC I bumped a while ago. I'd prefer some comments form someone there before opening a PR and potentially needing lots of changes before it'd be accepted, but I've not heard a peep. If I don't I'll just try to merge my brnch nad see if someone clocks it.
lordraiden
commented
2 years ago Afraid not. I have an image built here for any who want to try:
registry.gitlab.com/stellarpower/open-container-repository/docker-swag/add-modsecurity-with-manual-packages:1.18.0I'm waiting on Alpine ot hear back. IIRC I bumped a while ago. I'd prefer some comments form someone there before opening a PR and potentially needing lots of changes before it'd be accepted, but I've not heard a peep. If I don't I'll just try to merge my brnch nad see if someone clocks it.
Any news about this?
This project includes ModSecurity but I guess they aren't using alpine https://github.com/bunkerity/bunkerized-nginx The problem is that the project looks dead.
sloanja
commented
2 years ago There's the project here: https://github.com/andrewnk/docker-alpine-nginx-modsec which uses alpine and has Modsec Nginx Connector, GeoIP, ModSec OWASP Rules, and download/extract nginx and GeoIP databases.
stellarpower
commented
2 years ago I already have (half) a patch in for this, and I believe we are officially waiting on alpine to bring this into the repositories and for it to enter stable. I've just heard nothing back yet, and afraid I haven't got time in the next few months for projects outside of what I need directly for work. If you want to SSO sign in to the alpine Gitlab to bump there, please do. This is what needs to move in order to bring this in. The thread is here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418
lordraiden
commented
2 years ago I already have (half) a patch in for this, and I believe we are officially waiting on alpine to bring this into the repositories and for it to enter stable. I've just heard nothing back yet, and afraid I haven't got time in the next few months for projects outside of what I need directly for work. If you want to SSO sign in to the alpine Gitlab to bump there, please do. This is what needs to move in order to bring this in. The thread is here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418
And can naxsi with nxtool be added? https://github.com/nbs-system/naxsi
stellarpower
commented
2 years ago Naxsi is an alternative WAF, no? I think adding that would be outside the scope of modsecurity.
lordraiden
commented
2 years ago Naxsi is an alternative WAF, no? I think adding that would be outside the scope of modsecurity.
Yes, is another Waf with a different approach. Just saying in case things to put modsecurity into swag doesnt go well
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
lordraiden
commented
2 years ago Any progress with this?
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
lordraiden
commented
1 year ago Is there any progress? or it has been abandoned?
j0nnymoe
commented
1 year ago Can't abandoned something that was never started.
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
farzadha2
commented
1 year ago i was also curious if this is someday be planned? i was looking around and found that modsecurity with NGINX alpine is configurable https://github.com/andrewnk/docker-alpine-nginx-modsec
nemchik
commented
1 year ago Just to clarify, we (lsio) are not working on this. Or image installs nginx using the apk package repository. There is no package in the Alpine repository for modsecurity. We're not opposed to building some things from source, but we don't currently want to take on building nginx from source (which could include building all the currently used modules, rather than installing them via apk, but I am not positive). If there is a way to build modsecurity and use it with nginx when installed from apk we could entertain that, but it would be ideal if modsecurity were available in apk.
I'm removing the inactivity label, and adding the awaiting approval (exempt from inactivity) label.
Comments saying "this other project has nginx+modsecurity" are unfortunately not helpful to us unless the project also installs nginx via apk (not built from source), so please consider this before linking to other projects.
stellarpower
commented
1 year ago I don't have any spare time for working on something like this at the moment. If others desperately want to use it, I would suggest pulling the image provided. Otherwise, please bump the people at Alpine on their gitlab and ask someone to take a look at my fork, as that is the way this will eventually make it into the SWAG image.
stellarpower
commented
1 year ago Okay, so update, alpine don't want to add modsecurity to their packages. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.
I have open branches (libmodsec) (nginx connector) (CRS) on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.
I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.
lordraiden
commented
1 year ago Okay, so update, alpine don't want to add modsecurity to their packages. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.
I have open branches (libmodsec) (nginx connector) (CRS) on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.
I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.
The only alternative I know is naxsi
stellarpower
commented
1 year ago I think I remember looking at this some time ago. Looks like the latest release was two years ago, so possibly alpine is gonna be even less inclined to incorporate it.
Is there an equivalent of the CRS available? As I think having a ready-to-go set of rules is key.
1 May 2023 16:33:39 lordraiden @.***>:
Okay, so update, alpine don't want to add modsecurity to their packages[https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418#note_303804]. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.
I have open branches (libmodsec)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/libmodsecurity] (nginx connector)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/nginx-mod-http-modsecurity] (CRS)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/modsecurity-crs] on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.
I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.
The best option is to go with naxsi
https://github.com/nbs-system/naxsi
— Reply to this email directly, view it on GitHub[https://github.com/linuxserver/docker-swag/issues/142#issuecomment-1529841726], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ABGF2AOIETKQWD5KWXSLNJDXD7JVHANCNFSM5AYBQ7IQ]. You are receiving this because you were mentioned.[Tracking image][https://github.com/notifications/beacon/ABGF2AOSP62FKVWLMJ6U6IDXD7JVHA5CNFSM5AYBQ7I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOLMXYQPQ.gif]
lordraiden
commented
1 year ago Anyway ModSecurity development is quite active https://github.com/SpiderLabs/ModSecurity/releases https://azure.microsoft.com/en-us/blog/microsoft-sponsors-owasp-modsecurity-crs-to-improve-application-security/
I don't understand what they mean with the project being abandoned
If I look at this example I see modsecurity with nginx with an alpine image https://jflower.co.uk/setup-nginx-as-a-reverse-proxy-and-waf-with-modsecurity-in-docker/ https://hub.docker.com/r/owasp/modsecurity-crs/
shinji257
commented
9 months ago I'm not so sure on the nginx end of things. That repository is only for the library. The connector for nginx is a different repository and their last commit was 5/20/2022.
https://github.com/SpiderLabs/ModSecurity-nginx
The example links given for how to set it up doesn't use the nginx connector for ModSecurity. Rather they run nginx as the front facing server and reverse proxy to apache behind it. Apache is where ModSecurity is sitting at in the example.
As for the modsecurity-crs docker container.... It builds both apache and ngixn versions of the module from source and do not reference pre-packaged versions of it.
Is it possible to add Modsecurity rules to Nginx?