Dockerfile.modsecurity

# Multi-stage build for nginx with ModSecurity using Ubuntu 24.04
FROM ubuntu:24.04 AS builder

# Set versions
ARG MODSECURITY_VERSION=3.0.14
ARG CONNECTOR_VERSION=1.0.4
ARG CRS_VERSION=4.17.1

# Install build dependencies and nginx
RUN apt-get update && apt-get install -y \
    build-essential \
    git \
    curl \
    libpcre3-dev \
    libpcre2-dev \
    zlib1g-dev \
    libssl-dev \
    libxml2-dev \
    libyajl-dev \
    liblua5.3-dev \
    libgeoip-dev \
    libcurl4-openssl-dev \
    libfuzzy-dev \
    libmaxminddb-dev \
    liblmdb-dev \
    pkg-config \
    automake \
    libtool \
    nginx \
    dpkg-dev \
    software-properties-common

# Build ModSecurity v3
WORKDIR /tmp

# Enable source repositories and get nginx source
RUN echo "deb-src http://archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse" >> /etc/apt/sources.list && \
    echo "deb-src http://archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse" >> /etc/apt/sources.list && \
    echo "deb-src http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse" >> /etc/apt/sources.list && \
    apt-get update && \
    apt-get source nginx
RUN curl -L -o modsecurity-v${MODSECURITY_VERSION}.tar.gz https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${MODSECURITY_VERSION}/modsecurity-v${MODSECURITY_VERSION}.tar.gz && \
    tar -xzf modsecurity-v${MODSECURITY_VERSION}.tar.gz && \
    cd modsecurity-v${MODSECURITY_VERSION} && \
    ./configure && \
    make -j$(nproc) && \
    make install && \
    ldconfig

# Download ModSecurity-nginx connector
RUN curl -L -o ModSecurity-nginx-v${CONNECTOR_VERSION}.tar.gz https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v${CONNECTOR_VERSION}/ModSecurity-nginx-v${CONNECTOR_VERSION}.tar.gz && \
    tar -xzf ModSecurity-nginx-v${CONNECTOR_VERSION}.tar.gz

# Build nginx module using the exact source from apt
RUN cd nginx-* && \
    ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx-v${CONNECTOR_VERSION} && \
    make modules

# Production stage
FROM ubuntu:24.04

# Set versions for production stage
ARG MODSECURITY_VERSION=3.0.14
ARG CRS_VERSION=4.17.1

# Install nginx and runtime dependencies
RUN apt-get update && apt-get install -y \
    nginx \
    libpcre3 \
    zlib1g \
    libxml2 \
    libyajl2 \
    liblua5.3-0 \
    libgeoip1 \
    libcurl4 \
    libfuzzy2 \
    libmaxminddb0 \
    liblmdb0 \
    curl \
    file \
    vim-common \
    && rm -rf /var/lib/apt/lists/*

# Copy ModSecurity files
COPY --from=builder /usr/local/modsecurity /usr/local/modsecurity
COPY --from=builder /usr/local/lib/libmodsecurity* /usr/local/lib/
COPY --from=builder /tmp/nginx-*/objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/
COPY --from=builder /tmp/modsecurity-v${MODSECURITY_VERSION}/unicode.mapping /etc/modsecurity/unicode.mapping

# Update library cache
RUN ldconfig

# Create necessary directories
RUN mkdir -p /var/log/modsecurity /var/cache/modsecurity /tmp/modsecurity

# Download OWASP Core Rule Set
RUN cd /opt && \
    curl -L --fail -o crs.tar.gz https://github.com/coreruleset/coreruleset/archive/v${CRS_VERSION}.tar.gz && \
    tar -xzf crs.tar.gz && \
    mv coreruleset-${CRS_VERSION} owasp-modsecurity-crs && \
    rm crs.tar.gz && \
    cd owasp-modsecurity-crs && \
    cp crs-setup.conf.example crs-setup.conf

# Download GeoLite2 Country database
RUN mkdir -p /usr/share/GeoIP && \
    curl -L -o /usr/share/GeoIP/GeoLite2-Country.mmdb \
    https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb

# Copy nginx and ModSecurity configurations
COPY nginx/nginx.conf /etc/nginx/nginx.conf
COPY nginx/modsecurity.conf /etc/nginx/modsecurity.conf
COPY nginx/crs-setup.conf /etc/nginx/crs-setup.conf
COPY nginx/custom-rules.conf /etc/nginx/custom-rules.conf

# Copy base ModSecurity configuration
RUN mkdir -p /etc/modsecurity && \
    curl -L -o /etc/modsecurity/modsecurity.conf \
    https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

# Set proper permissions
RUN chown -R www-data:www-data /var/log/modsecurity /var/cache/modsecurity /tmp/modsecurity && \
    chmod 2775 /var/log/modsecurity /var/cache/modsecurity /tmp/modsecurity

# Copy and setup entrypoint script
COPY entrypoint-modsecurity.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost/health || exit 1

EXPOSE 80

CMD ["nginx", "-g", "daemon off;"]