search

openresty / docker-openresty

Docker tooling for OpenResty
https://hub.docker.com/r/openresty/openresty
BSD 2-Clause "Simplified" License
945 stars 530 forks source link

Openresty 1.19.3.1-alpine3.12 with modsecurity v3.0.4 #175

Closed BogdanRS closed 1 year ago

BogdanRS commented 3 years ago

I have an issue when trying to build Openresty.1.19.3.1(or any other versions with alpine3.12) with modsecurity v3.0.4 (https://github.com/SpiderLabs/ModSecurity) i get this error:

639 patching file src/rule.cc
640 Hunk #1 succeeded at 699 (offset 2 lines).
641 Hunk #2 succeeded at 710 (offset 2 lines).
642 patching file src/variables/variable.h
643 Hunk #1 succeeded at 605 (offset -5 lines).
644 patching file test/test-cases/regression/config-update-target-by-id.json
645 patching file test/test-cases/regression/config-update-target-by-tag.json
646   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
647                                  Dload  Upload   Total   Spent    Left  Speed
648 100  303k    0  303k    0     0   264k      0 --:--:--  0:00:01 --:--:--  264k
649 patch: **** Only garbage was found in the patch input.

The Modsecurity Dockerfile is: https://github.com/openresty/docker-openresty/blob/1.19.3.1-0/alpine/Dockerfile but i've put this line before building apk dependencies: COPY modsecurity-3.0.4.patch /tmp/modsecurity-3.0.4.patch

Also those are some of the prebuild lines that i use in a gitlab ci job and are relevant for this issue:

    echo "Building openresty with modsecurity"
    cd files/openresty-modsecurity-1.19
    build_image \
        --build-arg RESTY_IMAGE_BASE="${CI_REGISTRY_IMAGE}/alpine" \
        --build-arg RESTY_IMAGE_TAG="3.12-${CI_COMMIT_SHA}" \
        --build-arg RESTY_PCRE_VERSION="${RESTY_PCRE_VERSION:?have to be forced to set same version in modsecurity and nginx}" \
        --build-arg RESTY_ADD_PACKAGE_RUNDEPS="libstdc++ libcurl yajl" \
        --build-arg RESTY_ADD_PACKAGE_BUILDDEPS="curl-dev yajl-dev" \
        --build-arg RESTY_EVAL_PRE_CONFIGURE="
            curl -fSL https://ftp.pcre.org/pub/pcre/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz && \
            tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz && \
            cd pcre-${RESTY_PCRE_VERSION} && \
            ./configure && \
            make -j${RESTY_J} && \
            make install -j${RESTY_J} && \
            cd - && \
            curl -fSL https://github.com/SpiderLabs/ModSecurity/releases/download/${RESTY_MODSECURITY_VERSION}/modsecurity-${RESTY_MODSECURITY_VERSION}.tar.gz -o modsecurity-${RESTY_MODSECURITY_VERSION}.tar.gz && \
            tar xzf modsecurity-${RESTY_MODSECURITY_VERSION}.tar.gz && \
            cd /tmp/modsecurity-${RESTY_MODSECURITY_VERSION} && \
            mv /tmp/modsecurity-3.0.4.patch /tmp/modsecurity-${RESTY_MODSECURITY_VERSION}/modsecurity-3.0.4.patch && \
            patch -p1 < modsecurity-3.0.4.patch && \
            curl -fSL https://github.com/SpiderLabs/ModSecurity/commit/f57265a3e24b84534ec8bb6fa20ceb709d6878d0 | patch -p1 && \
            rm /tmp/modsecurity-${RESTY_MODSECURITY_VERSION}/modsecurity-3.0.4.patch && \
            ./configure && \
            make -j${RESTY_J} && \
            make install -j${RESTY_J} && \
            mkdir -p /etc/nginx/modsecurity && \
            cp unicode.mapping modsecurity.conf-recommended /etc/nginx/modsecurity && \
            cd - && \
            curl -fSL https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/${RESTY_MODSECURITY_NGINX_VERSION}/modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION}.tar.gz -o modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION}.tar.gz && \
            tar xzf modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION}.tar.gz && \
            cd /tmp/modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION} && \
            cd -
            " \
        --build-arg RESTY_EVAL_POST_MAKE="
            rm -rf \
                /usr/local/share/man \
                /usr/local/share/doc \
                /usr/local/include \
                /usr/local/modsecurity/lib/pkgconfig \
                /usr/local/modsecurity/include \
                modsecurity-${RESTY_MODSECURITY_VERSION} \
                modsecurity-${RESTY_MODSECURITY_VERSION}.tar.gz \
                modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION} \
                modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION}.tar.gz
            " \
        --build-arg RESTY_CONFIG_OPTIONS_MORE="--add-module=/tmp/modsecurity-nginx-${RESTY_MODSECURITY_NGINX_VERSION}" \
        -f Dockerfile

Note that this is where it fails curl -fSL https://github.com/SpiderLabs/ModSecurity/commit/f57265a3e24b84534ec8bb6fa20ceb709d6878d0 | patch -p1 && \ It can't apply this patch when trying to build from alpine 3.12

neomantra commented 3 years ago

Although the idea is to make builds configurable like you are doing... there's a lot going on in there!

Perhaps try doing that by creating a new Dockerfile and putting that in a RUN stanza. Or even, go into an alpine image and run those by hand and see if it works cleanly?

Once you have that Dockerfile fully working then you can extract the commands and inject it with build arguments.