Nginx with WAF

在官方ngxin Dockerfile的基础上，增加ModSecurity V3版本作为WAF。

使用方法

下载镜像

docker pull traceflight/nginx-with-waf

运行

docker run -d -v /path/to/conf/:/etc/nginx/conf.d/ \
              -v /path/to/log/:/var/log/nginx/ \
              -p 80:80 -p 443:443 \
              traceflight/nginx-with-waf

或使用docker compose，创建docker-compose.yml文件：

version: '3'
services:
 nginx:
    image: traceflight/nginx-with-waf
    restart: always
    volumes:
      - /path/to/conf/:/etc/nginx/conf.d/
      - /path/to/log/:/var/log/nginx/
    ports:
      - "80:80"
      - "443:443"

运行如下命令：

docker-compose up -d

Waf配置

默认ModSecurity为开启状态，其使用的owasp-modsecurity-crs规则集有可能会阻断正常的应用数据，如需要关掉ModSecurity,则需要在网站的配置中增加如下语句：

modsecurity off;

依赖项目

• Nginx
• ModSecurity
• ModSecurity nginx connector
• owasp-modsecurity-crs

与官方Dockerfile的区别

可通过如下命令查看当前版本与Nginx官方Dockerfile的区别：

diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)

NGINX with libModSecurity + ModSecurity-nginx connector + OWASP ModSecurity Core Rule Set (CRS)

The dockerfile of this container has been copied from the official nginx repo (alpine-perl variant) and has been modified to add ModSecurity library (v3) + ModSecurity nginx connector + OWASP ModSecurity Core Rule Set (CRS)

You can refer to the official nginx image documentation for instructions on how to use this image.

When you provide your configuration you can enable modsecurity. Please refer to their wiki for documentation.

Extras

If you're curious to know the difference from this dockerfile and the upstream one:

diff <(curl -fsL https://github.com/nginxinc/docker-nginx/raw/1.15.12/mainline/alpine-perl/Dockerfile) <(curl -fsL https://github.com/traceflight/nginx-with-waf/raw/1.15.12/Dockerfile)