Skip to content

Commit

Permalink
fix CVE-2021-20205 and examples update
Browse files Browse the repository at this point in the history
  • Loading branch information
@fl0ppy-d1sk
fl0ppy-d1sk committed Apr 26, 2021
1 parent 1a7abab commit a98dae1
Show file tree
Hide file tree
Showing 34 changed files with 268 additions and 12 deletions.
3 changes: 3 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh

# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"

VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge

EXPOSE 8080/tcp 8443/tcp
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile-amd64
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh

# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"

VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge

EXPOSE 8080/tcp 8443/tcp
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile-arm32v7
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh

# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"

VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge

EXPOSE 8080/tcp 8443/tcp
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile-arm64v8
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh

# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"

VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge

EXPOSE 8080/tcp 8443/tcp
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile-i386
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ COPY lua/ /opt/lua
COPY prepare.sh /tmp/prepare.sh
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh

# fix CVE-2021-20205
RUN apk add "libjpeg-turbo>=2.1.0-r0"

VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge

EXPOSE 8080/tcp 8443/tcp
Expand Down
1 change: 1 addition & 0 deletions examples/autoconf-reverse-proxy/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- USE_CLIENT_CACHE=yes
- USE_PROXY_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
Expand Down
2 changes: 1 addition & 1 deletion examples/crowdsec/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ services:
- net2

mycrowdsec:
image: crowdsecurity/crowdsec:v1.0.2
image: crowdsecurity/crowdsec:v1.0.13
restart: always
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
Expand Down
43 changes: 43 additions & 0 deletions examples/drupal/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
version: '3'

services:

mywww:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./drupal-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
#- ./server-confs:/server-confs:ro # custom confs at server context for permalinks
- ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Drupal exclusions
environment:
- SERVER_NAME=www.website.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=mydrupal
- REMOTE_PHP_PATH=/var/www/html

mydrupal:
image: drupal:fpm-alpine
restart: always
volumes:
- ./drupal-files:/var/www/html

mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=drupaldb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
7 changes: 7 additions & 0 deletions examples/drupal/modsec-crs-confs/drupal.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_drupal=1"
33 changes: 33 additions & 0 deletions examples/ghost/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
version: '3'

services:

myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
#- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myghost:2368/

myghost:
image: ghost:alpine
volumes:
- ./data-ghost:/
environment:
- url=https://www.website.com # replace with your domain
7 changes: 7 additions & 0 deletions examples/ghost/modsec-crs-confs/gogs.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
31 changes: 31 additions & 0 deletions examples/gogs/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
version: '3'

services:

myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mygogs:3000/

mygogs:
image: gogs/gogs
volumes:
- ./data-gogs:/data
7 changes: 7 additions & 0 deletions examples/gogs/modsec-crs-confs/gogs.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
46 changes: 46 additions & 0 deletions examples/joomla/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
version: '3'

services:

mywww:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./joomla-files:/www:ro
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.website.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=50m
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- REMOTE_PHP=myjoomla
- REMOTE_PHP_PATH=/var/www/html

myjoomla:
image: joomla:fpm-alpine
restart: always
volumes:
- ./joomla-files:/var/www/html
environment:
- JOOMLA_DB_HOST=mydb
- JOOMLA_DB_NAME=joomladb
- JOOMLA_DB_USER=user
- JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)

mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=joomladb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
1 change: 1 addition & 0 deletions examples/load-balancer/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
Expand Down
1 change: 1 addition & 0 deletions examples/moodle/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ services:
- MAX_CLIENT_SIZE=50m
- SERVE_FILES=no
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
Expand Down
1 change: 0 additions & 1 deletion examples/multisite-basic/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ services:
- app2.website.com_REMOTE_PHP=myapp2
- app2.website.com_REMOTE_PHP_PATH=/app
- app3.website.com_SERVE_FILES=no
- app3.website.com_USE_CLIENT_CACHE=no
- app3.website.com_USE_PROXY_CACHE=yes
- app3.website.com_USE_REVERSE_PROXY=yes
- app3.website.com_REVERSE_PROXY_URL=/
Expand Down
6 changes: 3 additions & 3 deletions examples/multisite-custom-server-confs/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ services:
- wp.website.com_REMOTE_PHP_PATH=/var/www/html
- nc.website.com_REMOTE_PHP=mync
- nc.website.com_REMOTE_PHP_PATH=/var/www/html
- nc.website.com_LIMIT_REQ_RATE=40r/s
- nc.website.com_LIMIT_REQ_BURST=60
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
- nc.website.com_LIMIT_REQ_RATE=5r/s
- nc.website.com_LIMIT_REQ_BURST=10
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
- nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
networks:
Expand Down
1 change: 1 addition & 0 deletions examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
3 changes: 3 additions & 0 deletions examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
SecRuleRemoveById 953120
2 changes: 1 addition & 1 deletion examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
8 changes: 4 additions & 4 deletions examples/nextcloud/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,16 @@ services:
- USE_CLIENT_CACHE=yes
- REMOTE_PHP=mync
- REMOTE_PHP_PATH=/var/www/html
- LIMIT_REQ_RATE=40r/s
- LIMIT_REQ_BURST=60
- ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
- LIMIT_REQ_RATE=5r/s
- LIMIT_REQ_BURST=10
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- USE_BROTLI=yes
- FAIL2BAN_STATUS_CODE=400|401|403|405|444

mync:
image: nextcloud:20-fpm
image: nextcloud:21-fpm
restart: always
volumes:
- ./nc-files:/var/www/html
Expand Down
1 change: 1 addition & 0 deletions examples/nextcloud/modsec-confs/nextcloud.conf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
SecRuleRemoveById 921110
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
2 changes: 1 addition & 1 deletion examples/nextcloud/modsec-crs-confs/nextcloud.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
1 change: 1 addition & 0 deletions examples/passbolt/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ services:
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
- SERVE_FILES=no
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
Expand Down
47 changes: 47 additions & 0 deletions examples/redmine/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
version: '3'

services:

myreverse:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./letsencrypt:/etc/letsencrypt
environment:
- SERVER_NAME=www.website.com # replace with your domain
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://myredmine:3000/

redmine:
image: redmine
restart: always
volumes:
- ./redmine-data:/usr/src/redmine/files
environment:
- REDMINE_DB_MYSQL=mydb
- REDMINE_DB_DATABASE=redminedb
- REDMINE_DB_USERNAME=user
- REDMINE_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)

mydb:
image: mariadb
restart: always
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=redminedb
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
1 change: 1 addition & 0 deletions examples/reverse-proxy-multisite/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ services:
- REDIRECT_HTTP_TO_HTTPS=yes
- AUTO_LETS_ENCRYPT=yes
- USE_PROXY_CACHE=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_BROTLI=yes
- USE_REVERSE_PROXY=yes
Expand Down
Loading

0 comments on commit a98dae1

Please sign in to comment.