wordpress-charmers team mailing list archive

[Laurent Sesquès <mp+414357@xxxxxxxxxxxxxxxxxx>]

Laurent Sesquès has proposed merging ~sajoupa/charm-k8s-wordpress:modsecurity into charm-k8s-wordpress:master.

Commit message:
Add apache2-modsecurity and turn SecRuleEngine On

It uses the default configuration, with the known crs exceptions for wordpress

Requested reviews:
  Wordpress Charmers (wordpress-charmers)

For more details, see:
https://code.launchpad.net/~sajoupa/charm-k8s-wordpress/+git/charm-k8s-wordpress/+merge/414357
-- 
Your team Wordpress Charmers is requested to review the proposed merge of ~sajoupa/charm-k8s-wordpress:modsecurity into charm-k8s-wordpress:master.

diff --git a/Dockerfile b/Dockerfile
index a338c56..7eb38c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,7 @@ FROM ubuntu:${DIST_RELEASE} as base
 # HTTPS_PROXY used when we RUN curl to download Wordpress itself
 ARG BUILD_DATE
 ARG HTTPS_PROXY
+ARG MODSEC
 
 
 # Launchpad OCI image builds don't support dynamic arg parsing. Skip until
@@ -46,6 +47,12 @@ RUN apt-get update && apt-get -y dist-upgrade \
         && ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log" \
         && chown -R --no-dereference "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$APACHE_LOG_DIR"
 
+# Install apache2-modsec, activate the engine, and allow wordpress exclusions to avoid false positives
+RUN if [ -n "$MODSEC" ] ; then apt-get -y install modsecurity-crs \
+        && cp -p /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf \
+        && sed -i -e 's/^SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf \
+        && sed -i -e '/setvar:tx.crs_exclusions_xenforo/a SecAction \\\n  "id:900130,\\\n  phase:1,\\\n  nolog,\\\n  pass,\\\n  t:none,\\\n  setvar:tx.crs_exclusions_wordpress=1"' /etc/modsecurity/crs/crs-setup.conf ; fi
+
 # Configure PHP and apache2 - mod_php requires us to use mpm_prefork
 COPY ./image-builder/files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf
 COPY ./image-builder/files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf
diff --git a/image-builder/Makefile b/image-builder/Makefile
index 11c4542..14f1716 100644
--- a/image-builder/Makefile
+++ b/image-builder/Makefile
@@ -1,11 +1,13 @@
 DIST_RELEASE ?= focal
 VERSION ?= 5.8.3
+MODSEC ?= ""
 
 build-image:
 	@echo "Building the image."
 	@docker build \
 		--no-cache=true \
 		--build-arg DIST_RELEASE=$(DIST_RELEASE) \
+		--build-arg MODSEC=$(MODSEC) \
 		--build-arg VERSION=$(VERSION) \
 		-t wordpress:$(DIST_RELEASE)-$(VERSION) \
 		.