Compare commits

..

2 commits

Author SHA1 Message Date
33a62a9f82 defaultear a los parametros actualizados
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
así no depende de tener parametros seteados externamente
2023-08-15 18:19:42 +00:00
932627b941 usar nombres calificados
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
mejora la seguridad y la compatibilidad
2023-08-15 18:17:30 +00:00
8 changed files with 15 additions and 61 deletions

View file

@ -1,4 +1,4 @@
steps:
pipeline:
publish:
image: "docker.io/woodpeckerci/plugin-docker-buildx"
settings:
@ -11,17 +11,15 @@ steps:
build_args:
- "ALPINE_VERSION=${ALPINE_VERSION}"
- "ACCESS_LOG_VERSION=${ACCESS_LOG_VERSION}"
- "NGINX_VERSION=${NGINX_VERSION}"
- "BASE_IMAGE=gitea.nulo.in/sutty/monit"
- "EXTRA_PACKAGES=${EXTRA_PACKAGES}"
password:
from_secret: "DOCKER_PASSWORD"
secrets:
- "DOCKER_PASSWORD"
when:
branch: "antifascista"
event: "push"
matrix:
include:
- ALPINE_VERSION: "3.20.3"
ACCESS_LOG_VERSION: "0.5.9"
NGINX_VERSION: "1.26.2-r0"
EXTRA_PACKAGES: "nginx-mod-http-modsecurity coreruleset"
ALPINE_VERSION:
- "3.18.3"
- "3.17.5"
ACCESS_LOG_VERSION:
- "0.5.5"

View file

@ -1,17 +1,15 @@
ARG ALPINE_VERSION=3.18.3
ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
FROM ${BASE_IMAGE}:${ALPINE_VERSION}
LABEL org.opencontainers.image.authors="f@sutty.nl"
MAINTAINER "f <f@sutty.nl>"
ARG NGINX_VERSION="1.24.0-r7"
ARG ACCESS_LOGS_FLAGS="--database=sqlite3:///var/log/access_log.sqlite3 -c /usr/share/crawler-user-agents/crawler-user-agents.json"
ARG ACCESS_LOG_VERSION="0.5.6"
ARG EXTRA_PACKAGES
ARG ACCESS_LOG_VERSION="0.5.5"
ENV ACCESS_LOGS_FLAGS=${ACCESS_LOGS_FLAGS}
# Install nginx and remove default config
RUN apk add --no-cache nginx~${NGINX_VERSION} daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
RUN apk add --no-cache nginx daemonize access_log~${ACCESS_LOG_VERSION} nginx-prometheus-exporter geoip2-database-country geoip2-database-city crawler-user-agents \
&& rm -rf /etc/nginx
# Add ssl group so nginx has access to certificates
@ -21,14 +19,15 @@ RUN addgroup nginx ssl
COPY ./monit.conf /etc/monit.d/nginx.conf
COPY ./prometheusd.sh /usr/local/bin/prometheusd
COPY ./access_logd.sh /usr/bin/access_logd
COPY --chown=nginx:nginx ./nginx /etc/nginx
COPY ./nginx /etc/nginx
COPY ./access_log.sqlite3 /var/lib/access_log.sqlite3
# Install modules after rewriting /etc/nginx
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2 ${EXTRA_PACKAGES}
RUN apk add --no-cache nginx-mod-http-brotli nginx-mod-http-geoip2
# Add support for request_uri parsing if access_log >= 0.3.0
RUN mv /etc/nginx/access_logd_`access_log -v`.conf /etc/nginx/access_logd.conf
RUN chown -R nginx:nginx /etc/nginx
RUN nginx -t
RUN chown nginx:nginx /var/lib/access_log.sqlite3
@ -37,7 +36,6 @@ RUN chown nginx:nginx /var/lib/access_log.sqlite3
VOLUME /etc/nginx/sites
VOLUME /etc/letsencrypt
VOLUME /var/lib/letsencrypt
VOLUME /var/log
EXPOSE 80
EXPOSE 443

View file

@ -10,8 +10,6 @@ pid=/run/access_logd.pid
case $1 in
start)
test -f $pid && exit 0
# Copy default database
install -m 640 -o nobody /var/lib/access_log.sqlite3 /var/log/access_log.sqlite3
@ -19,7 +17,7 @@ case $1 in
rm -f /tmp/access_log.socket
# Read from fifo and load into database
daemonize -p $pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
daemonize -p /run/access_logd.pid -u nginx /usr/local/bin/syslogize /usr/bin/access_log $ACCESS_LOGS_FLAGS
;;
stop)
test -f $pid || exit 0

View file

@ -1,3 +0,0 @@
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

View file

@ -1,3 +0,0 @@
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

View file

@ -1,3 +0,0 @@
log_format access_logd escape=json '{"host":"$host","msec":$msec,"server_protocol":"$server_protocol","request_method":"$request_method","request_completion":"$request_completion","uri":"$uri","query_string":"$query_string","status":$status,"sent_http_content_type":"$sent_http_content_type","sent_http_content_encoding":"$sent_http_content_encoding","sent_http_etag":"$sent_http_etag","sent_http_last_modified":"$sent_http_last_modified","http_accept":"$http_accept","http_accept_encoding":"$http_accept_encoding","http_accept_language":"$http_accept_language","http_pragma":"$http_pragma","http_cache_control":"$http_cache_control","http_if_none_match":"$http_if_none_match","http_dnt":"$http_dnt","http_user_agent":"$http_user_agent","http_origin":"$http_origin","http_referer":{"origin":"$http_origin","referrer":"$http_referer","policy":"origin-when-cross-origin"},"request_time":$request_time,"bytes_sent":$bytes_sent,"body_bytes_sent":$body_bytes_sent,"request_length":$request_length,"http_connection":"$http_connection","pipe":"$pipe","connection_requests":$connection_requests,"geoip2_data_country_name":"$geoip2_data_country_name","geoip2_data_country_iso_code":"$geoip2_data_country_iso_code","geoip2_data_city_name":"$geoip2_data_city_name","ssl_server_name":"$ssl_server_name","ssl_protocol":"$ssl_protocol","ssl_early_data":"$ssl_early_data","ssl_session_reused":"$ssl_session_reused","ssl_curves":"$ssl_curves","ssl_ciphers":"$ssl_ciphers","ssl_cipher":"$ssl_cipher","sent_http_x_xss_protection":"$sent_http_x_xss_protection","sent_http_x_frame_options":"$sent_http_x_frame_options","sent_http_x_content_type_options":"$sent_http_x_content_type_options","sent_http_strict_transport_security":"$sent_http_strict_transport_security","nginx_version":"$nginx_version","pid":"$pid","remote_user":"$remote_user","request_uri":"$request_uri"}';
access_log syslog:server=unix:/tmp/access_log.socket,nohostname access_logd;

View file

@ -39,7 +39,6 @@ http {
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_name country names en;
$geoip2_data_country_iso_code country iso_code;
$geoip2_data_continent_code country continent_code;
}
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {

View file

@ -1,30 +0,0 @@
modsecurity on;
modsecurity_rules 'SecRuleEngine On';
modsecurity_rules 'SecAuditLogFormat JSON';
modsecurity_rules_file /etc/modsecurity/modsecurity.conf;
modsecurity_rules_file /etc/crs4/crs-setup.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-901-INITIALIZATION.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf;
modsecurity_rules_file /etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-955-WEB-SHELLS.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf;
modsecurity_rules_file /etc/crs4/rules/RESPONSE-980-CORRELATION.conf;