feat: modsecurity

.woodpecker.yml

@@ -13,6 +13,7 @@ steps:
       - "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
       - "NGINX_VERSION=${NGINX_VERSION}"
       - "BASE_IMAGE=gitea.nulo.in/sutty/monit"
+      - "EXTRA_PACKAGES="
       password:
         from_secret: "DOCKER_PASSWORD"
     when:
@@ -23,6 +24,7 @@ matrix:
   - ALPINE_VERSION: "3.20.3"
     ACCESS_LOG_VERSION: "0.5.8"
     NGINX_VERSION: "1.26.2-r0"
+    EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
   - ALPINE_VERSION: "3.19.4"
     ACCESS_LOG_VERSION: "0.5.8"
     NGINX_VERSION: "1.24.0-r16"

Dockerfile

@@ -6,6 +6,7 @@ LABEL org.opencontainers.image.authors="f@sutty.nl"
 ARG NGINX_VERSION="1.24.0-r7"
 ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
 ARG ACCESS_LOG_VERSION="0.5.6"
+ARG EXTRA_PACKAGES
 
 ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
 
@@ -24,7 +25,7 @@ COPY --chown=nginx:nginx ./nginx /etc/nginx
 COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
 
 # Install modules after rewriting /etc/nginx
-RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 nginx-mod-http-naxsi
+RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
 
 # Add support for request_uri parsing if access_log >= 0.3.0
 RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf