diff --git a/README-containers.md b/README-containers.md index 99b4d62..b769198 100644 --- a/README-containers.md +++ b/README-containers.md @@ -82,11 +82,11 @@ These variables are common to image variants and will set defaults based on the | METRICS_ALLOW_FROM | A single range of IP adresses that can access the metrics | `127.0.0.0/255.0.0.0 ::1/128` | `127.0.0.0/24` | | METRICS_DENY_FROM | A range of IP adresses that cannot access the metrics | `All` | `all` | | METRICSLOG | Location of metrics log file | `/dev/null` | - | -| PROXY_SSL | SSL Proxy Engine Operation Switch | `off` | - | | PROXY_SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/proxy.crt` | `/etc/nginx/conf/proxy.crt` / `/usr/local/openresty/nginx/conf/proxy.crt` | | PROXY_SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/proxy.key` | `/etc/nginx/conf/proxy.key` / `/usr/local/openresty/nginx/conf/proxy.key` | | PROXY_SSL_CIPHERS| A string indicating the cipher suite to connect to the backend via TLS | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"` | - | | PROXY_SSL_PROTOCOLS | TLS protocols to enable for the connection to the backend | `"all -SSLv3 -TLSv1 -TLSv1.1"` | `TTLSv1.2 TLSv1.3` | +| PROXY_SSL | SSL Proxy Engine Operation Switch | `off` | - | | PROXY_SSL_VERIFY | A string value indicating the type of proxy server Certificate verification | `none` | `off` | | PROXY_TIMEOUT | Number of seconds for proxied requests to time out | `60` | `60s` | | SERVER_NAME | The server name | `localhost` | - | @@ -101,8 +101,8 @@ These variables are common to image variants and will set defaults based on the | Name | Description| | -------- | ------------------------------------------------------------------- | | APACHE_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) | -| APACHE_LOGFORMAT | A string value indicating the LogFormat that apache should use. (Default: `'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'` (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | APACHE_ERRORLOG_FORMAT | A string value indicating the `ErrorLogFormat` that Apache should use. (Default: `'"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"'` | +| APACHE_LOGFORMAT | A string value indicating the LogFormat that apache should use. (Default: `'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'` (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | APACHE_METRICS_LOGFORMAT | A string value indicating the LogFormat that the additional log apache metrics should use. (Default:'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | BACKEND_WS | A string indicating the IP/URL of the WebSocket service (Default: `ws://localhost:8080`) | | H2_PROTOCOLS | A string value indicating the protocols supported by the HTTP2 module (Default: `h2 http/1.1`) | @@ -135,12 +135,12 @@ These variables are common to image variants and will set defaults based on the | KEEPALIVE_TIMEOUT | Number of seconds for a keep-alive client connection to stay open on the server side (Default: `60s`) | | NGINX_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) | | PORT | An int value indicating the port where the webserver is listening to | `8080` | We run as unprivileged user. | -| SET_REAL_IP_FROM | A string of comma separated IP, CIDR, or UNIX domain socket addresses that are trusted to replace addresses in `REAL_IP_HEADER` (Default: `127.0.0.1`). See [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) | +| PROXY_SSL_VERIFY_DEPTH | An integer value indicating the verification depth for the client certificate chain (Default: `1`) | | REAL_IP_HEADER | Name of the header containing the real IP value(s) (Default: `X-REAL-IP`). See [real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header) | | REAL_IP_PROXY_HEADER | Name of the header containing `$remote_addr` to be passed to proxy (Default: `X-REAL-IP`). See [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) | | REAL_IP_RECURSIVE | A string value indicating whether to use recursive reaplacement on addresses in `REAL_IP_HEADER` (Allowed values: `on`, `off`. Default: `on`). See [real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive) | -| PROXY_SSL_VERIFY_DEPTH | An integer value indicating the verification depth for the client certificate chain (Default: `1`) | | SERVER_TOKENS | A boolean value for enabling / disabling emission of server identifying information in the `Server` HTTP response header and on error pages. (Allowed values: `on`, `off`, `build`. Default: `off`). | +| SET_REAL_IP_FROM | A string of comma separated IP, CIDR, or UNIX domain socket addresses that are trusted to replace addresses in `REAL_IP_HEADER` (Default: `127.0.0.1`). See [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) | | SSL_DH_BITS | A numeric value indicating the size (in bits) to use for the generated DH-params file (Default 2048) | | SSL_PORT | Port number where the SSL enabled webserver is listening | `8443` | We run as unprivileged user. | | SSL_PREFER_CIPHERS | A string value indicating if the server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols (Allowed values: `on`, `off`. Default: `off`)| @@ -161,23 +161,25 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_AUDIT_ENGINE | A string used to configure the audit engine, which logs complete transactions (Default: `RelevantOnly`). Accepted values: `On`, `Off`, `RelevantOnly`. See [SecAuditEngine](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditEngine) for additional information. | | MODSEC_AUDIT_LOG | A string indicating the path to the main audit log file or the concurrent logging index file (Default: `/dev/stdout`) | | MODSEC_AUDIT_LOG_FORMAT | A string indicating the output format of the AuditLogs (Default: `JSON`). Accepted values: `JSON`, `Native`. See [SecAuditLogFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogFormat) for additional information. | -| MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_AUDIT_LOG_PARTS | A string that defines which parts of each transaction are going to be recorded in the audit log (Default: `'ABIJDEFHZ'`). See [SecAuditLogParts](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts) for the accepted values. | +| MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_AUDIT_STORAGE | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | | MODSEC_DATA_DIR | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) | | MODSEC_DEBUG_LOG | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) | | MODSEC_DEBUG_LOGLEVEL | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). | +| MODSEC_DEFAULT_PHASE1_ACTION | ModSecurity string with the contents for the default action in phase 1 (Default: `'phase:1,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | +| MODSEC_DEFAULT_PHASE2_ACTION | ModSecurity string with the contents for the default action in phase 2 (Default: `'phase:2,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | | MODSEC_DISABLE_BACKEND_COMPRESSION | A string indicating whether or not to disable backend compression (Default: `On`). Allowed values: `On`, `Off`. See [SecDisableBackendCompression](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdisablebackendcompression) for more. Only supported in ModSecurity 2.x, will have not effect on 3.x | | MODSEC_PCRE_MATCH_LIMIT | An integer value indicating the limit for the number of internal executions in the PCRE function (Default: `100000`) (Only valid for Apache - v2). See [SecPcreMatchLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#SecPcreMatchLimit) | | MODSEC_PCRE_MATCH_LIMIT_RECURSION | An integer value indicating the limit for the depth of recursion when calling PCRE function (Default: `100000`) | | MODSEC_REQ_BODY_ACCESS | A string value allowing ModSecurity to access request bodies (Default: `On`). Allowed values: `On`, `Off`. See [SecRequestBodyAccess](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodyaccess) for more information. | -| MODSEC_REQ_BODY_LIMIT | An integer value indicating the maximum request body size accepted for buffering (Default: `13107200`). See [SecRequestBodyLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimit) for additional information. | -| MODSEC_REQ_BODY_LIMIT_ACTION | A string value for the action when `SecRequestBodyLimit` is reached (Default: `Reject`). Accepted values: `Reject`, `ProcessPartial`. See [SecRequestBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimitaction) for additional information. | | MODSEC_REQ_BODY_JSON_DEPTH_LIMIT | An integer value indicating the maximun JSON request depth (Default: `512`). See [SecRequestBodyJsonDepthLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRequestBodyJsonDepthLimit) for additional information. | +| MODSEC_REQ_BODY_LIMIT_ACTION | A string value for the action when `SecRequestBodyLimit` is reached (Default: `Reject`). Accepted values: `Reject`, `ProcessPartial`. See [SecRequestBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimitaction) for additional information. | +| MODSEC_REQ_BODY_LIMIT | An integer value indicating the maximum request body size accepted for buffering (Default: `13107200`). See [SecRequestBodyLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimit) for additional information. | | MODSEC_REQ_BODY_NOFILES_LIMIT | An integer indicating the maximum request body size ModSecurity will accept for buffering (Default: `131072`). See [SecRequestBodyNoFilesLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodynofileslimit) for more information. | | MODSEC_RESP_BODY_ACCESS | A string value allowing ModSecurity to access response bodies (Default: `On`). Allowed values: `On`, `Off`. See [SecResponseBodyAccess](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secresponsebodyaccess) for more information. | -| MODSEC_RESP_BODY_LIMIT | An integer value indicating the maximum response body size accepted for buffering (Default: `1048576`) | | MODSEC_RESP_BODY_LIMIT_ACTION | A string value for the action when `SecResponseBodyLimit` is reached (Default: `ProcessPartial`). Accepted values: `Reject`, `ProcessPartial`. See [SecResponseBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secresponsebodylimitaction) for additional information. | +| MODSEC_RESP_BODY_LIMIT | An integer value indicating the maximum response body size accepted for buffering (Default: `1048576`) | | MODSEC_RESP_BODY_MIMETYPE | A string with the list of mime types that will be analyzed in the response (Default: `'text/plain text/html text/xml'`). You might consider adding `application/json` documented [here](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-\(v2.x\)#secresponsebodymimetype). | | MODSEC_RULE_ENGINE | A string value enabling ModSecurity itself (Default: `On`). Accepted values: `On`, `Off`, `DetectionOnly`. See [SecRuleEngine](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secruleengine) for additional information. | | MODSEC_SERVER_SIGNATURE | Sets the directive [SecServerSignature](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secserversignature) and instructs ModSecurity to change the data presented in the "Server:" response header token when Apache `ServerTokens` directive is set to `Full`. Also see Apache `SERVER_TOKENS`. Only supported in ModSecurity 2.x, will have not effect on 3.x. (Default: `Apache`). | @@ -186,34 +188,32 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_TMP_DIR | A string indicating the path where temporary files will be created (Default: `/tmp/modsecurity/tmp`) | | MODSEC_TMP_SAVE_UPLOADED_FILES | A string indicating if temporary uploaded files are saved (Default: `On`) (only relevant in Apache - ModSecurity v2) | | MODSEC_UPLOAD_DIR | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) | -| MODSEC_DEFAULT_PHASE1_ACTION | ModSecurity string with the contents for the default action in phase 1 (Default: `'phase:1,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | -| MODSEC_DEFAULT_PHASE2_ACTION | ModSecurity string with the contents for the default action in phase 2 (Default: `'phase:2,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | ### CRS specific | Name | Description| | -------- | ------------------------------------------------------------------- | -| MANUAL_MODE | A boolean indicating that you are providing your own `crs-setup.conf` file mounted as volume. (Default: `0`). ⚠️ None of the following variables are used if you set it to `1`. | -| CRS_DISABLE_PLUGINS | A boolean indicating whether plugins will be **disabled** (Only from v4 and up. Default: `0`) | -| PARANOIA | An integer indicating the paranoia level (Default: `1`) | -| BLOCKING_PARANOIA | (:new: Replaces `PARANOIA` in CRSv4) An integer indicating the paranoia level (Default: `1`) | -| EXECUTING_PARANOIA | An integer indicating the executing_paranoia_level (Default: `PARANOIA`) | -| DETECTION_PARANOIA | (:new: Replaces `EXECUTING_PARANOIA` in CRSv4) An integer indicating the detection_paranoia_level (Default: `BLOCKING_PARANOIA`) | -| ENFORCE_BODYPROC_URLENCODED | A boolean indicating the enforce_bodyproc_urlencoded (Default: `0`) | -| VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) | -| ANOMALY_INBOUND | An integer indicating the inbound_anomaly_score_threshold (Default: `5`) | -| ANOMALY_OUTBOUND | An integer indicating the outbound_anomaly_score_threshold (Default: `4`) | +| ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: `HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0`) | | ALLOWED_METHODS | A string indicating the allowed_methods (Default: `GET HEAD POST OPTIONS`) | | ALLOWED_REQUEST_CONTENT_TYPE | A string indicating the allowed_request_content_type (Default: `\|application/x-www-form-urlencoded\| \|multipart/form-data\| \|multipart/related\| \|text/xml\| \|application/xml\| \|application/soap+xml\| \|application/json\| \|application/cloudevents+json\| \|application/cloudevents-batch+json\|`) | | ALLOWED_REQUEST_CONTENT_TYPE_CHARSET | A string indicating the allowed_request_content_type_charset (Default: `utf-8\|iso-8859-1\|iso-8859-15\|windows-1252`) | -| ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: `HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0`) | +| ANOMALY_INBOUND | An integer indicating the inbound_anomaly_score_threshold (Default: `5`) | +| ANOMALY_OUTBOUND | An integer indicating the outbound_anomaly_score_threshold (Default: `4`) | +| ARG_LENGTH | An integer indicating the arg_length (Default: `unlimited`) | +| ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: `unlimited`) | +| BLOCKING_PARANOIA | (:new: Replaces `PARANOIA` in CRSv4) An integer indicating the paranoia level (Default: `1`) | +| COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: `unlimited`) | +| CRS_DISABLE_PLUGINS | A boolean indicating whether plugins will be **disabled** (Only from v4 and up. Default: `0`) | +| CRS_ENABLE_TEST_MARKER | A boolean indicating whether to write test markers to the log file (Used for running the CRS test suite. Default: `0`) | +| DETECTION_PARANOIA | (:new: Replaces `EXECUTING_PARANOIA` in CRSv4) An integer indicating the detection_paranoia_level (Default: `BLOCKING_PARANOIA`) | +| ENFORCE_BODYPROC_URLENCODED | A boolean indicating the enforce_bodyproc_urlencoded (Default: `0`) | +| EXECUTING_PARANOIA | An integer indicating the executing_paranoia_level (Default: `PARANOIA`) | +| MANUAL_MODE | A boolean indicating that you are providing your own `crs-setup.conf` file mounted as volume. (Default: `0`). ⚠️ None of the following variables are used if you set it to `1`. | +| MAX_FILE_SIZE | An integer indicating the max_file_size (Default: `unlimited`) | +| MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) | +| PARANOIA | An integer indicating the paranoia level (Default: `1`) | | RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/`) | | RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: `/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/`) | | STATIC_EXTENSIONS | A string indicating the static_extensions (Default: `/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/`) | -| MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) | -| ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: `unlimited`) | -| ARG_LENGTH | An integer indicating the arg_length (Default: `unlimited`) | | TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: `unlimited`) | -| MAX_FILE_SIZE | An integer indicating the max_file_size (Default: `unlimited`) | -| COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: `unlimited`) | -| CRS_ENABLE_TEST_MARKER | A boolean indicating whether to write test markers to the log file (Used for running the CRS test suite. Default: `0`) | +| VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) | diff --git a/README.md b/README.md index 9c0ba4c..a7e1dbd 100644 --- a/README.md +++ b/README.md @@ -159,11 +159,11 @@ These variables are common to image variants and will set defaults based on the | METRICS_ALLOW_FROM | A single range of IP adresses that can access the metrics | `127.0.0.0/255.0.0.0 ::1/128` | `127.0.0.0/24` | | METRICS_DENY_FROM | A range of IP adresses that cannot access the metrics | `All` | `all` | | METRICSLOG | Location of metrics log file | `/dev/null` | - | -| PROXY_SSL | SSL Proxy Engine Operation Switch | `off` | - | | PROXY_SSL_CERT | A string indicating the path to the PEM-encoded X.509 certificate data file or token identifier of the proxied server | `/usr/local/apache2/conf/proxy.crt` | `/etc/nginx/conf/proxy.crt` / `/usr/local/openresty/nginx/conf/proxy.crt` | | PROXY_SSL_CERT_KEY | A string indicating the path to the PEM-encoded private key file of the proxied server | `/usr/local/apache2/conf/proxy.key` | `/etc/nginx/conf/proxy.key` / `/usr/local/openresty/nginx/conf/proxy.key` | | PROXY_SSL_CIPHERS| A string indicating the cipher suite to connect to the backend via TLS | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"` | - | | PROXY_SSL_PROTOCOLS | TLS protocols to enable for the connection to the backend | `"all -SSLv3 -TLSv1 -TLSv1.1"` | `TTLSv1.2 TLSv1.3` | +| PROXY_SSL | SSL Proxy Engine Operation Switch | `off` | - | | PROXY_SSL_VERIFY | A string value indicating the type of proxy server Certificate verification | `none` | `off` | | PROXY_TIMEOUT | Number of seconds for proxied requests to time out | `60` | `60s` | | SERVER_NAME | The server name | `localhost` | - | @@ -178,8 +178,8 @@ These variables are common to image variants and will set defaults based on the | Name | Description| | -------- | ------------------------------------------------------------------- | | APACHE_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) | -| APACHE_LOGFORMAT | A string value indicating the LogFormat that apache should use. (Default: `'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'` (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | APACHE_ERRORLOG_FORMAT | A string value indicating the `ErrorLogFormat` that Apache should use. (Default: `'"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"'` | +| APACHE_LOGFORMAT | A string value indicating the LogFormat that apache should use. (Default: `'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'` (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | APACHE_METRICS_LOGFORMAT | A string value indicating the LogFormat that the additional log apache metrics should use. (Default:'"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' (combined). Tip: use single quotes outside your double quoted format string.) ⚠️ Do not add a `|` as part of the log format. It is used internally. | | BACKEND_WS | A string indicating the IP/URL of the WebSocket service (Default: `ws://localhost:8080`) | | H2_PROTOCOLS | A string value indicating the protocols supported by the HTTP2 module (Default: `h2 http/1.1`) | @@ -211,15 +211,15 @@ These variables are common to image variants and will set defaults based on the | DNS_SERVER | A string indicating the name servers used to resolve names of upstream servers into addresses. For localhost backend this value should not be defined (Default: _not defined_) | | KEEPALIVE_TIMEOUT | Number of seconds for a keep-alive client connection to stay open on the server side (Default: `60s`) | | NGINX_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) | -| SET_REAL_IP_FROM | A string of comma separated IP, CIDR, or UNIX domain socket addresses that are trusted to replace addresses in `REAL_IP_HEADER` (Default: `127.0.0.1`). See [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) | +| PORT | An int value indicating the port where the webserver is listening to | `8080` | We run as unprivileged user. | +| PROXY_SSL_VERIFY_DEPTH | An integer value indicating the verification depth for the client certificate chain (Default: `1`) | | REAL_IP_HEADER | Name of the header containing the real IP value(s) (Default: `X-REAL-IP`). See [real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header) | | REAL_IP_PROXY_HEADER | Name of the header containing `$remote_addr` to be passed to proxy (Default: `X-REAL-IP`). See [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) | | REAL_IP_RECURSIVE | A string value indicating whether to use recursive reaplacement on addresses in `REAL_IP_HEADER` (Allowed values: `on`, `off`. Default: `on`). See [real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive) | -| PORT | An int value indicating the port where the webserver is listening to | `8080` | We run as unprivileged user. | -| PROXY_SSL_VERIFY_DEPTH | An integer value indicating the verification depth for the client certificate chain (Default: `1`) | | SERVER_TOKENS | A boolean value for enabling / disabling emission of server identifying information in the `Server` HTTP response header and on error pages. (Allowed values: `on`, `off`, `build`. Default: `off`). | -| SSL_PORT | Port number where the SSL enabled webserver is listening | `8443` | We run as unprivileged user. | +| SET_REAL_IP_FROM | A string of comma separated IP, CIDR, or UNIX domain socket addresses that are trusted to replace addresses in `REAL_IP_HEADER` (Default: `127.0.0.1`). See [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) | | SSL_DH_BITS | A numeric value indicating the size (in bits) to use for the generated DH-params file (Default 2048) | +| SSL_PORT | Port number where the SSL enabled webserver is listening | `8443` | We run as unprivileged user. | | SSL_PREFER_CIPHERS | A string value indicating if the server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols (Allowed values: `on`, `off`. Default: `off`)| | SSL_VERIFY | A string value indicating if the client certificates should be verified (Allowed values: `on`, `off`. Default: `off`) | | SSL_VERIFY_DEPTH | An integer value indicating the verification depth for the client certificate chain (Default: `1`) | @@ -238,23 +238,25 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_AUDIT_ENGINE | A string used to configure the audit engine, which logs complete transactions (Default: `RelevantOnly`). Accepted values: `On`, `Off`, `RelevantOnly`. See [SecAuditEngine](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditEngine) for additional information. | | MODSEC_AUDIT_LOG | A string indicating the path to the main audit log file or the concurrent logging index file (Default: `/dev/stdout`) | | MODSEC_AUDIT_LOG_FORMAT | A string indicating the output format of the AuditLogs (Default: `JSON`). Accepted values: `JSON`, `Native`. See [SecAuditLogFormat](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogFormat) for additional information. | -| MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_AUDIT_LOG_PARTS | A string that defines which parts of each transaction are going to be recorded in the audit log (Default: `'ABIJDEFHZ'`). See [SecAuditLogParts](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts) for the accepted values. | +| MODSEC_AUDIT_LOG_TYPE | A string indicating the type of audit logging mechanism to be used (Default: `Serial`). Accepted values: `Serial`, `Concurrent` (`HTTPS` works only on Nginx - v3). See [SecAuditLogType](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secauditlogtype) for additional information. | | MODSEC_AUDIT_STORAGE | A string indicating the directory where concurrent audit log entries are to be stored (Default: `/var/log/modsecurity/audit/`) | | MODSEC_DATA_DIR | A string indicating the path where persistent data (e.g., IP address data, session data, and so on) is to be stored (Default: `/tmp/modsecurity/data`) | | MODSEC_DEBUG_LOG | A string indicating the path to the ModSecurity debug log file (Default: `/dev/null`) | | MODSEC_DEBUG_LOGLEVEL | An integer indicating the verboseness of the debug log data (Default: `0`). Accepted values: `0` - `9`. See [SecDebugLogLevel](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdebugloglevel). | +| MODSEC_DEFAULT_PHASE1_ACTION | ModSecurity string with the contents for the default action in phase 1 (Default: `'phase:1,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | +| MODSEC_DEFAULT_PHASE2_ACTION | ModSecurity string with the contents for the default action in phase 2 (Default: `'phase:2,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | | MODSEC_DISABLE_BACKEND_COMPRESSION | A string indicating whether or not to disable backend compression (Default: `On`). Allowed values: `On`, `Off`. See [SecDisableBackendCompression](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secdisablebackendcompression) for more. Only supported in ModSecurity 2.x, will have not effect on 3.x | | MODSEC_PCRE_MATCH_LIMIT | An integer value indicating the limit for the number of internal executions in the PCRE function (Default: `100000`) (Only valid for Apache - v2). See [SecPcreMatchLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#SecPcreMatchLimit) | | MODSEC_PCRE_MATCH_LIMIT_RECURSION | An integer value indicating the limit for the depth of recursion when calling PCRE function (Default: `100000`) | | MODSEC_REQ_BODY_ACCESS | A string value allowing ModSecurity to access request bodies (Default: `On`). Allowed values: `On`, `Off`. See [SecRequestBodyAccess](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodyaccess) for more information. | -| MODSEC_REQ_BODY_LIMIT | An integer value indicating the maximum request body size accepted for buffering (Default: `13107200`). See [SecRequestBodyLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimit) for additional information. | -| MODSEC_REQ_BODY_LIMIT_ACTION | A string value for the action when `SecRequestBodyLimit` is reached (Default: `Reject`). Accepted values: `Reject`, `ProcessPartial`. See [SecRequestBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimitaction) for additional information. | | MODSEC_REQ_BODY_JSON_DEPTH_LIMIT | An integer value indicating the maximun JSON request depth (Default: `512`). See [SecRequestBodyJsonDepthLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRequestBodyJsonDepthLimit) for additional information. | +| MODSEC_REQ_BODY_LIMIT_ACTION | A string value for the action when `SecRequestBodyLimit` is reached (Default: `Reject`). Accepted values: `Reject`, `ProcessPartial`. See [SecRequestBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimitaction) for additional information. | +| MODSEC_REQ_BODY_LIMIT | An integer value indicating the maximum request body size accepted for buffering (Default: `13107200`). See [SecRequestBodyLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimit) for additional information. | | MODSEC_REQ_BODY_NOFILES_LIMIT | An integer indicating the maximum request body size ModSecurity will accept for buffering (Default: `131072`). See [SecRequestBodyNoFilesLimit](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodynofileslimit) for more information. | | MODSEC_RESP_BODY_ACCESS | A string value allowing ModSecurity to access response bodies (Default: `On`). Allowed values: `On`, `Off`. See [SecResponseBodyAccess](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secresponsebodyaccess) for more information. | -| MODSEC_RESP_BODY_LIMIT | An integer value indicating the maximum response body size accepted for buffering (Default: `1048576`) | | MODSEC_RESP_BODY_LIMIT_ACTION | A string value for the action when `SecResponseBodyLimit` is reached (Default: `ProcessPartial`). Accepted values: `Reject`, `ProcessPartial`. See [SecResponseBodyLimitAction](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secresponsebodylimitaction) for additional information. | +| MODSEC_RESP_BODY_LIMIT | An integer value indicating the maximum response body size accepted for buffering (Default: `1048576`) | | MODSEC_RESP_BODY_MIMETYPE | A string with the list of mime types that will be analyzed in the response (Default: `'text/plain text/html text/xml'`). You might consider adding `application/json` documented [here](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-\(v2.x\)#secresponsebodymimetype). | | MODSEC_RULE_ENGINE | A string value enabling ModSecurity itself (Default: `On`). Accepted values: `On`, `Off`, `DetectionOnly`. See [SecRuleEngine](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secruleengine) for additional information. | | MODSEC_SERVER_SIGNATURE | Sets the directive [SecServerSignature](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#secserversignature) and instructs ModSecurity to change the data presented in the "Server:" response header token when Apache `ServerTokens` directive is set to `Full`. Also see Apache `SERVER_TOKENS`. Only supported in ModSecurity 2.x, will have not effect on 3.x. (Default: `Apache`). | @@ -263,37 +265,35 @@ All these variables impact in configuration directives in the modsecurity engine | MODSEC_TMP_DIR | A string indicating the path where temporary files will be created (Default: `/tmp/modsecurity/tmp`) | | MODSEC_TMP_SAVE_UPLOADED_FILES | A string indicating if temporary uploaded files are saved (Default: `On`) (only relevant in Apache - ModSecurity v2) | | MODSEC_UPLOAD_DIR | A string indicating the path where intercepted files will be stored (Default: `/tmp/modsecurity/upload`) | -| MODSEC_DEFAULT_PHASE1_ACTION | ModSecurity string with the contents for the default action in phase 1 (Default: `'phase:1,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | -| MODSEC_DEFAULT_PHASE2_ACTION | ModSecurity string with the contents for the default action in phase 2 (Default: `'phase:2,log,auditlog,pass,tag:\'\${MODSEC_TAG}\''`) | ### CRS specific | Name | Description| | -------- | ------------------------------------------------------------------- | -| MANUAL_MODE | A boolean indicating that you are providing your own `crs-setup.conf` file mounted as volume. (Default: `0`). ⚠️ None of the following variables are used if you set it to `1`. | -| CRS_DISABLE_PLUGINS | A boolean indicating whether plugins will be **disabled** (Only from v4 and up. Default: `0`) | -| PARANOIA | An integer indicating the paranoia level (Default: `1`) | -| BLOCKING_PARANOIA | (:new: Replaces `PARANOIA` in CRSv4) An integer indicating the paranoia level (Default: `1`) | -| EXECUTING_PARANOIA | An integer indicating the executing_paranoia_level (Default: `PARANOIA`) | -| DETECTION_PARANOIA | (:new: Replaces `EXECUTING_PARANOIA` in CRSv4) An integer indicating the detection_paranoia_level (Default: `BLOCKING_PARANOIA`) | -| ENFORCE_BODYPROC_URLENCODED | A boolean indicating the enforce_bodyproc_urlencoded (Default: `0`) | -| VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) | -| ANOMALY_INBOUND | An integer indicating the inbound_anomaly_score_threshold (Default: `5`) | -| ANOMALY_OUTBOUND | An integer indicating the outbound_anomaly_score_threshold (Default: `4`) | +| ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: `HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0`) | | ALLOWED_METHODS | A string indicating the allowed_methods (Default: `GET HEAD POST OPTIONS`) | | ALLOWED_REQUEST_CONTENT_TYPE | A string indicating the allowed_request_content_type (Default: `\|application/x-www-form-urlencoded\| \|multipart/form-data\| \|multipart/related\| \|text/xml\| \|application/xml\| \|application/soap+xml\| \|application/json\| \|application/cloudevents+json\| \|application/cloudevents-batch+json\|`) | | ALLOWED_REQUEST_CONTENT_TYPE_CHARSET | A string indicating the allowed_request_content_type_charset (Default: `utf-8\|iso-8859-1\|iso-8859-15\|windows-1252`) | -| ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: `HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0`) | +| ANOMALY_INBOUND | An integer indicating the inbound_anomaly_score_threshold (Default: `5`) | +| ANOMALY_OUTBOUND | An integer indicating the outbound_anomaly_score_threshold (Default: `4`) | +| ARG_LENGTH | An integer indicating the arg_length (Default: `unlimited`) | +| ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: `unlimited`) | +| BLOCKING_PARANOIA | (:new: Replaces `PARANOIA` in CRSv4) An integer indicating the paranoia level (Default: `1`) | +| COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: `unlimited`) | +| CRS_DISABLE_PLUGINS | A boolean indicating whether plugins will be **disabled** (Only from v4 and up. Default: `0`) | +| CRS_ENABLE_TEST_MARKER | A boolean indicating whether to write test markers to the log file (Used for running the CRS test suite. Default: `0`) | +| DETECTION_PARANOIA | (:new: Replaces `EXECUTING_PARANOIA` in CRSv4) An integer indicating the detection_paranoia_level (Default: `BLOCKING_PARANOIA`) | +| ENFORCE_BODYPROC_URLENCODED | A boolean indicating the enforce_bodyproc_urlencoded (Default: `0`) | +| EXECUTING_PARANOIA | An integer indicating the executing_paranoia_level (Default: `PARANOIA`) | +| MANUAL_MODE | A boolean indicating that you are providing your own `crs-setup.conf` file mounted as volume. (Default: `0`). ⚠️ None of the following variables are used if you set it to `1`. | +| MAX_FILE_SIZE | An integer indicating the max_file_size (Default: `unlimited`) | +| MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) | +| PARANOIA | An integer indicating the paranoia level (Default: `1`) | | RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/`) | | RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: `/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/`) | | STATIC_EXTENSIONS | A string indicating the static_extensions (Default: `/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/`) | -| MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) | -| ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: `unlimited`) | -| ARG_LENGTH | An integer indicating the arg_length (Default: `unlimited`) | | TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: `unlimited`) | -| MAX_FILE_SIZE | An integer indicating the max_file_size (Default: `unlimited`) | -| COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: `unlimited`) | -| CRS_ENABLE_TEST_MARKER | A boolean indicating whether to write test markers to the log file (Used for running the CRS test suite. Default: `0`) | +| VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) | ## TLS/HTTPS diff --git a/apache/Dockerfile b/apache/Dockerfile index 6d7491b..f30289f 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -64,11 +64,12 @@ ARG LUA_MODULES LABEL maintainer="Felipe Zipitria " -ENV APACHE_ALWAYS_TLS_REDIRECT=off \ - APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ +ENV \ + ACCESSLOG=/var/log/apache2/access.log \ + APACHE_ALWAYS_TLS_REDIRECT=off \ APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \ + APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ - ACCESSLOG=/var/log/apache2/access.log \ BACKEND=http://localhost:80 \ BACKEND_WS=ws://localhost:8080 \ ERRORLOG='/proc/self/fd/2' \ @@ -76,13 +77,12 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \ METRICS_DENY_FROM='All' \ - MUTEX='default' \ METRICSLOG='/dev/null' \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ + MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ + MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ @@ -90,12 +90,12 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DISABLE_BACKEND_COMPRESSION="On" \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ @@ -108,15 +108,16 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ + MUTEX='default' \ PORT=80 \ PROXY_ERROR_OVERRIDE=on \ PROXY_PRESERVE_HOST=on \ - PROXY_SSL=off \ PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \ - PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \ PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/proxy.key \ + PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \ PROXY_SSL_CHECK_PEER_NAME=off \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + PROXY_SSL=off \ PROXY_SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ PROXY_SSL_VERIFY=none \ PROXY_TIMEOUT=60 \ @@ -126,15 +127,15 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ SERVER_NAME=localhost \ SERVER_SIGNATURE=Off \ SERVER_TOKENS=Full \ - SSL_CERT=/usr/local/apache2/conf/server.crt \ SSL_CERT_KEY=/usr/local/apache2/conf/server.key \ + SSL_CERT=/usr/local/apache2/conf/server.crt \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ SSL_ENGINE=on \ SSL_HONOR_CIPHER_ORDER=off \ + SSL_OCSP_STAPLING=On \ SSL_PORT=443 \ SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ SSL_SESSION_TICKETS=off \ - SSL_OCSP_STAPLING=On \ TIMEOUT=60 \ WORKER_CONNECTIONS=400 \ # CRS specific variables diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine index f003962..c52958f 100644 --- a/apache/Dockerfile-alpine +++ b/apache/Dockerfile-alpine @@ -74,11 +74,12 @@ ARG LUA_MODULES LABEL maintainer="Felipe Zipitria " -ENV APACHE_ALWAYS_TLS_REDIRECT=off \ - APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ +ENV \ + ACCESSLOG=/var/log/apache2/access.log \ + APACHE_ALWAYS_TLS_REDIRECT=off \ APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \ + APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ - ACCESSLOG=/var/log/apache2/access.log \ BACKEND=http://localhost:80 \ BACKEND_WS=ws://localhost:8080 \ ERRORLOG='/proc/self/fd/2' \ @@ -86,13 +87,12 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \ METRICS_DENY_FROM='All' \ - MUTEX='default' \ METRICSLOG='/dev/null' \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ + MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ + MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ @@ -100,12 +100,12 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DISABLE_BACKEND_COMPRESSION="On" \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ @@ -118,15 +118,16 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ + MUTEX='default' \ PORT=80 \ PROXY_ERROR_OVERRIDE=on \ PROXY_PRESERVE_HOST=on \ - PROXY_SSL=off \ PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \ - PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \ PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/proxy.key \ + PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \ PROXY_SSL_CHECK_PEER_NAME=off \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + PROXY_SSL=off \ PROXY_SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ PROXY_SSL_VERIFY=none \ PROXY_TIMEOUT=60 \ @@ -136,15 +137,15 @@ ENV APACHE_ALWAYS_TLS_REDIRECT=off \ SERVER_NAME=localhost \ SERVER_SIGNATURE=Off \ SERVER_TOKENS=Full \ - SSL_CERT=/usr/local/apache2/conf/server.crt \ SSL_CERT_KEY=/usr/local/apache2/conf/server.key \ + SSL_CERT=/usr/local/apache2/conf/server.crt \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ SSL_ENGINE=on \ SSL_HONOR_CIPHER_ORDER=off \ + SSL_OCSP_STAPLING=On \ SSL_PORT=443 \ SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ SSL_SESSION_TICKETS=off \ - SSL_OCSP_STAPLING=On \ TIMEOUT=60 \ WORKER_CONNECTIONS=400 \ # CRS specific variables diff --git a/nginx/Dockerfile b/nginx/Dockerfile index d59aaa6..5480bf1 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -113,32 +113,34 @@ ARG LUA_MODULES LABEL maintainer="Felipe Zipitria " -ENV ACCESSLOG=/var/log/nginx/access.log \ +ENV \ + ACCESSLOG=/var/log/nginx/access.log \ BACKEND=http://localhost:80 \ DNS_SERVER= \ ERRORLOG=/var/log/nginx/error.log \ KEEPALIVE_TIMEOUT=60s \ + LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/24' \ METRICS_DENY_FROM='all' \ METRICSLOG=/dev/null \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ + MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ + MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ @@ -150,22 +152,23 @@ ENV ACCESSLOG=/var/log/nginx/access.log \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ - PORT=8080 \ NGINX_ALWAYS_TLS_REDIRECT=off \ - SET_REAL_IP_FROM="127.0.0.1" \ - REAL_IP_HEADER="X-REAL-IP" \ - REAL_IP_PROXY_HEADER="X-REAL-IP" \ - REAL_IP_RECURSIVE="on" \ - PROXY_SSL=off \ + NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ + PORT=8080 \ PROXY_SSL_CERT=/etc/nginx/conf/proxy.crt \ PROXY_SSL_CERT_KEY=/etc/nginx/conf/proxy.key \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + PROXY_SSL=off \ PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - PROXY_SSL_VERIFY=off \ PROXY_SSL_VERIFY_DEPTH=1 \ + PROXY_SSL_VERIFY=off \ PROXY_TIMEOUT=60s \ + REAL_IP_HEADER="X-REAL-IP" \ + REAL_IP_PROXY_HEADER="X-REAL-IP" \ + REAL_IP_RECURSIVE="on" \ SERVER_NAME=localhost \ SERVER_TOKENS=off \ + SET_REAL_IP_FROM="127.0.0.1" \ SSL_CERT=/etc/nginx/conf/server.crt \ SSL_CERT_KEY=/etc/nginx/conf/server.key \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ @@ -174,11 +177,9 @@ ENV ACCESSLOG=/var/log/nginx/access.log \ SSL_PORT=8443 \ SSL_PREFER_CIPHERS=off \ SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - SSL_VERIFY=off \ SSL_VERIFY_DEPTH=1 \ + SSL_VERIFY=off \ WORKER_CONNECTIONS=1024 \ - LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \ - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ # CRS specific variables PARANOIA=1 \ ANOMALY_INBOUND=5 \ diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine index de8ed9c..8f0a645 100644 --- a/nginx/Dockerfile-alpine +++ b/nginx/Dockerfile-alpine @@ -108,31 +108,34 @@ ARG LUA_MODULES LABEL maintainer="Felipe Zipitria " -ENV ACCESSLOG=/var/log/nginx/access.log \ +ENV \ + ACCESSLOG=/var/log/nginx/access.log \ BACKEND=http://localhost:80 \ DNS_SERVER= \ ERRORLOG=/var/log/nginx/error.log \ + KEEPALIVE_TIMEOUT=60s \ + LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/24' \ METRICS_DENY_FROM='all' \ METRICSLOG=/dev/null \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ + MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ + MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ @@ -144,22 +147,23 @@ ENV ACCESSLOG=/var/log/nginx/access.log \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ - PORT=8080 \ NGINX_ALWAYS_TLS_REDIRECT=off \ - SET_REAL_IP_FROM="127.0.0.1" \ - REAL_IP_HEADER="X-REAL-IP" \ - REAL_IP_PROXY_HEADER="X-REAL-IP" \ - REAL_IP_RECURSIVE="on" \ - PROXY_SSL=off \ + NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ + PORT=8080 \ PROXY_SSL_CERT=/etc/nginx/conf/proxy.crt \ PROXY_SSL_CERT_KEY=/etc/nginx/conf/proxy.key \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + PROXY_SSL=off \ PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - PROXY_SSL_VERIFY=off \ PROXY_SSL_VERIFY_DEPTH=1 \ + PROXY_SSL_VERIFY=off \ PROXY_TIMEOUT=60s \ + REAL_IP_HEADER="X-REAL-IP" \ + REAL_IP_PROXY_HEADER="X-REAL-IP" \ + REAL_IP_RECURSIVE="on" \ SERVER_NAME=localhost \ SERVER_TOKENS=off \ + SET_REAL_IP_FROM="127.0.0.1" \ SSL_CERT=/etc/nginx/conf/server.crt \ SSL_CERT_KEY=/etc/nginx/conf/server.key \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ @@ -170,10 +174,7 @@ ENV ACCESSLOG=/var/log/nginx/access.log \ SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ SSL_VERIFY_DEPTH=1 \ SSL_VERIFY=off \ - KEEPALIVE_TIMEOUT=60s \ WORKER_CONNECTIONS=1024 \ - LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib \ - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx \ # CRS specific variables PARANOIA=1 \ ANOMALY_INBOUND=5 \ diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine index 949d29e..6170b7e 100644 --- a/openresty/Dockerfile-alpine +++ b/openresty/Dockerfile-alpine @@ -117,32 +117,35 @@ ARG LUA_MODULES LABEL maintainer="Taavi Ansper " -ENV ACCESSLOG=/var/log/nginx/access.log \ +ENV \ + ACCESSLOG=/var/log/nginx/access.log \ BACKEND=http://localhost:80 \ DNS_SERVER= \ ERRORLOG=/var/log/nginx/error.log \ KEEPALIVE_TIMEOUT=60s \ + # Change LD_LIBRARY_PATH from normal nginx setup. Do not add /usr/lib or /lib + LD_LIBRARY_PATH=/usr/local/lib:/usr/local/openresty \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/24' \ METRICS_DENY_FROM='all' \ METRICSLOG=/dev/null \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ - MODSEC_AUDIT_LOG_FORMAT=JSON \ - MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ + MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ + MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ - MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ + MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_REQ_BODY_ACCESS=on \ + MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ - MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ @@ -154,36 +157,34 @@ ENV ACCESSLOG=/var/log/nginx/access.log \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ - PORT=80 \ NGINX_ALWAYS_TLS_REDIRECT=off \ - SET_REAL_IP_FROM="127.0.0.1" \ - REAL_IP_HEADER="X-REAL-IP" \ - REAL_IP_PROXY_HEADER="X-REAL-IP" \ - REAL_IP_RECURSIVE="on" \ - PROXY_SSL=off \ - PROXY_SSL_CERT=/usr/local/openresty/nginx/conf/proxy.crt \ + NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \ + PORT=80 \ PROXY_SSL_CERT_KEY=/usr/local/openresty/nginx/conf/proxy.key \ + PROXY_SSL_CERT=/usr/local/openresty/nginx/conf/proxy.crt \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + PROXY_SSL=off \ PROXY_SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - PROXY_SSL_VERIFY=off \ PROXY_SSL_VERIFY_DEPTH=1 \ + PROXY_SSL_VERIFY=off \ PROXY_TIMEOUT=60s \ + REAL_IP_HEADER="X-REAL-IP" \ + REAL_IP_PROXY_HEADER="X-REAL-IP" \ + REAL_IP_RECURSIVE="on" \ SERVER_NAME=localhost \ SERVER_TOKENS=off \ - SSL_CERT=/usr/local/openresty/nginx/conf/server.crt \ + SET_REAL_IP_FROM="127.0.0.1" \ SSL_CERT_KEY=/usr/local/openresty/nginx/conf/server.key \ + SSL_CERT=/usr/local/openresty/nginx/conf/server.crt \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ SSL_DH_BITS=2048 \ SSL_OCSP_STAPLING=on \ SSL_PORT=443 \ SSL_PREFER_CIPHERS=off \ SSL_PROTOCOLS="TLSv1.2 TLSv1.3" \ - SSL_VERIFY=off \ SSL_VERIFY_DEPTH=1 \ + SSL_VERIFY=off \ WORKER_CONNECTIONS=1024 \ - # Change this from normal nginx setup. Do not add /usr/lib or /lib - LD_LIBRARY_PATH=/usr/local/lib:/usr/local/openresty \ - NGINX_ENVSUBST_OUTPUT_DIR=/usr/local/openresty/nginx/conf \ # CRS specific variables PARANOIA=1 \ ANOMALY_INBOUND=5 \