-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathDockerfile
175 lines (167 loc) · 8.37 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# syntax=docker/dockerfile:labs
FROM alpine:3.21.2 AS build
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG LUAJIT_INC=/usr/include/luajit-2.1
ARG LUAJIT_LIB=/usr/lib
ARG NGINX_VER=release-1.27.4
ARG OPENSSL_VER=openssl-3.1.7+quic
ARG MODSEC_VER=v3.0.13
ARG DTR_VER=1.25.1
ARG RCP_VER=1.27.1
ARG NB_VER=master
ARG NF_VER=master
ARG HMNM_VER=v0.37
ARG NJS_VER=0.8.9
ARG NDK_VER=v0.3.3
ARG LNM_VER=v0.10.28
ARG MODSECNGX_VER=v1.0.3
ARG LRC_VER=v0.1.31
ARG LRL_VER=v0.15
ARG NHG2M_VER=3.4
ARG NNTLM_VER=master
ARG LIBOQS_VER=0.12.0
ARG OQSPROVIDER_VER=0.8.0
WORKDIR /src
# Requirements
RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates build-base cmake git libtool autoconf automake perl bash \
libatomic_ops-dev zlib-dev luajit-dev pcre2-dev linux-headers yajl-dev libxml2-dev libxslt-dev curl-dev lmdb-dev libfuzzy2-dev lua5.1-dev lmdb-dev geoip-dev libmaxminddb-dev
# Openssl
RUN git clone https://github.com/quictls/openssl --branch "$OPENSSL_VER" /usr/local/openssl
# ModSecurity
RUN git clone --recursive https://github.com/owasp-modsecurity/ModSecurity --branch "$MODSEC_VER" /src/ModSecurity && \
sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /src/ModSecurity/modsecurity.conf-recommended && \
sed -i "s|^SecAudit|#SecAudit|g" /src/ModSecurity/modsecurity.conf-recommended && \
sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /src/ModSecurity/modsecurity.conf-recommended && \
cd /src/ModSecurity && \
/src/ModSecurity/build.sh && \
/src/ModSecurity/configure --with-pcre2 --with-lmdb && \
make -j "$(nproc)" && \
make -j "$(nproc)" install
# Nginx
RUN git clone --recursive https://github.com/freenginx/nginx --branch "$NGINX_VER" /src/nginx && \
cd /src/nginx && \
wget -q https://raw.githubusercontent.com/nginx-modules/ngx_http_tls_dyn_size/master/nginx__dynamic_tls_records_"$DTR_VER"%2B.patch -O /src/nginx/1.patch && \
wget -q https://raw.githubusercontent.com/openresty/openresty/master/patches/nginx-"$RCP_VER"-resolver_conf_parsing.patch -O /src/nginx/2.patch && \
sed -i "s|freenginx|NPMplus|g" /src/nginx/src/core/nginx.h && \
sed -i "/<hr><center>/d" /src/nginx/src/http/ngx_http_special_response.c && \
git diff && \
git apply /src/nginx/1.patch && \
git apply /src/nginx/2.patch && \
rm /src/nginx/*.patch && \
# modules
git clone --recursive https://github.com/google/ngx_brotli --branch "$NB_VER" /src/ngx_brotli && \
git clone --recursive https://github.com/aperezdc/ngx-fancyindex --branch "$NF_VER" /src/ngx-fancyindex && \
git clone --recursive https://github.com/openresty/headers-more-nginx-module --branch "$HMNM_VER" /src/headers-more-nginx-module && \
git clone --recursive https://github.com/nginx/njs --branch "$NJS_VER" /src/njs && \
git clone --recursive https://github.com/vision5/ngx_devel_kit --branch "$NDK_VER" /src/ngx_devel_kit && \
git clone --recursive https://github.com/openresty/lua-nginx-module --branch "$LNM_VER" /src/lua-nginx-module && \
git clone --recursive https://github.com/openresty/lua-resty-core --branch "$LRC_VER" /src/lua-resty-core && \
git clone --recursive https://github.com/openresty/lua-resty-lrucache --branch "$LRL_VER" /src/lua-resty-lrucache && \
git clone --recursive https://github.com/leev/ngx_http_geoip2_module --branch "$NHG2M_VER" /src/ngx_http_geoip2_module && \
git clone --recursive https://github.com/gabihodoroaga/nginx-ntlm-module --branch "$NNTLM_VER" /src/nginx-ntlm-module && \
# patch ModSecurity-nginx
git clone --recursive https://github.com/SpiderLabs/ModSecurity-nginx --branch "$MODSECNGX_VER" /src/ModSecurity-nginx && \
cd /src/ModSecurity-nginx && \
wget -q https://patch-diff.githubusercontent.com/raw/owasp-modsecurity/ModSecurity-nginx/pull/320.patch -O /src/ModSecurity-nginx/1.patch && \
git apply /src/ModSecurity-nginx/1.patch && \
rm /src/ModSecurity-nginx/*.patch
# Configure
RUN cd /src/nginx && \
/src/nginx/auto/configure \
--build=freenginx \
--with-debug \
--with-compat \
--with-threads \
--with-file-aio \
--with-libatomic \
--with-pcre \
--with-pcre-jit \
--with-openssl-opt="no-legacy --libdir=lib" \
--with-openssl="/usr/local/openssl" \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_geoip_module \
--with-stream_realip_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_ssl_module \
--with-http_geoip_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_stub_status_module \
--add-module=/src/ngx_brotli \
--add-module=/src/ngx-fancyindex \
--add-module=/src/headers-more-nginx-module \
--add-module=/src/njs/nginx \
--add-module=/src/ngx_devel_kit \
--add-module=/src/lua-nginx-module \
--add-module=/src/ModSecurity-nginx \
--add-module=/src/ngx_http_geoip2_module \
--add-module=/src/nginx-ntlm-module
RUN git clone https://github.com/openappsec/attachment /src/attachment
COPY attachment.patch /src/attachment/attachment.patch
RUN cd /src/attachment && \
patch -p1 </src/attachment/attachment.patch && \
cmake /src/attachment && \
make install
# Build & Install
RUN cd /src/nginx && \
make -j "$(nproc)" && \
make -j "$(nproc)" install && \
cd /src/lua-resty-core && \
make -j "$(nproc)" install PREFIX=/usr/local/nginx && \
cd /src/lua-resty-lrucache && \
make -j "$(nproc)" install PREFIX=/usr/local/nginx && \
perl /usr/local/openssl/configdata.pm --dump
# OQS
RUN git clone https://github.com/open-quantum-safe/liboqs --branch "$LIBOQS_VER" /src/liboqs && \
cd /src/liboqs && \
cmake -DCMAKE_BUILD_TYPE=Release && \
make -j "$(nproc)" && \
make -j "$(nproc)" install
RUN git clone https://github.com/open-quantum-safe/oqs-provider --branch "$OQSPROVIDER_VER" /src/oqs-provider && \
cd /src/oqs-provider && \
cmake -DCMAKE_BUILD_TYPE=Release -DOPENSSL_ROOT_DIR=/usr/local/openssl/.openssl && \
make -j "$(nproc)" && \
mv -v /src/oqs-provider/lib/oqsprovider.so /usr/local/openssl/.openssl/lib/ossl-modules
RUN cp -v /usr/local/openssl/apps/openssl.cnf /usr/local/openssl/.openssl/openssl.cnf && \
sed -i "s|default = default_sect|default = default_sect\noqsprovider = oqsprovider_sect|g" /usr/local/openssl/.openssl/openssl.cnf && \
sed -i "s|\[default_sect\]|\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n|g" /usr/local/openssl/.openssl/openssl.cnf
# strip files
RUN strip -s /usr/local/nginx/sbin/nginx && \
strip -s /usr/local/openssl/.openssl/bin/openssl && \
strip -s /usr/local/openssl/.openssl/lib/ossl-modules/oqsprovider.so && \
strip -s /usr/local/modsecurity/lib/libmodsecurity.so.3
RUN find /usr/local/nginx -exec file {} \; | grep "not stripped" || true && \
find /usr/local/openssl/.openssl -exec file {} \; | grep "not stripped" || true && \
file /usr/local/modsecurity/lib/libmodsecurity.so.3 && \
file /src/ModSecurity/unicode.mapping && \
file /src/ModSecurity/modsecurity.conf-recommended
FROM alpine:3.21.2
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY --from=build /usr/local/lib /usr/local/lib
COPY --from=build /usr/local/nginx /usr/local/nginx
COPY --from=build /usr/local/openssl/.openssl /usr/local/openssl/.openssl
COPY --from=build /usr/local/modsecurity/lib/libmodsecurity.so.3 /usr/local/lib/libmodsecurity.so.3
COPY --from=build /src/ModSecurity/unicode.mapping /usr/local/nginx/conf/conf.d/include/unicode.mapping
COPY --from=build /src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example
RUN apk upgrade --no-cache -a && \
apk add --no-cache ca-certificates tzdata tini zlib luajit pcre2 libstdc++ yajl libxml2 libxslt libcurl lmdb libfuzzy2 lua5.1-libs geoip libmaxminddb-libs && \
ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx && \
ln -s /usr/local/openssl/.openssl/bin/openssl /usr/local/bin/openssl
ENV OPENSSL_CONF=/usr/local/openssl/.openssl/openssl.cnf
ENTRYPOINT ["tini", "--", "nginx"]
CMD ["-g", "daemon off;"]
EXPOSE 80/tcp
EXPOSE 81/tcp
EXPOSE 443/tcp
EXPOSE 443/udp