modsecurity integration

[satheras]

Dear Community,

is there anyone that has done a modsecurity integration on basis of this nginx container set? I am desperately searching for a way to integrate modsecurity (including crs). Would be amazing if its possible to just include a modsecurity docker within a docker-compose.yml and fire it up.

thanks in advance and best regards
satheras

[buchdag]

The only way I see this working for now is placing your modsecurity-crs container between nginx-proxy and your application (with modsecurity-crs acting as a second reverse proxy), which mean one modsecurity-crs container you'll have to manually configure for every proxyed app.

Placing the modesecurity-crs container on the front is not really feasible as you would lose the tls termination and all the automatic tls configuration provided by docker-gen.

[jacen05]

Hello. I replaced the nginx container with owasp/modsecurity:3.0 image, and still use docker and letsencrypt-nginx-proxy-companion. Here is an except of my docker-compose.yml:

  nginx:
    image: owasp/modsecurity:3.0
    container_name: dev_proxy_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./proxy/conf:/etc/nginx/conf.d
      - ./proxy/vhost:/etc/nginx/vhost.d
      - ./proxy/html:/usr/share/nginx/html
      - ./proxy/certs:/etc/nginx/certs:ro
      - ./proxy/modsecurity.d:/etc/modsecurity.d

  docker-gen:
    image: jwilder/docker-gen:0.7.0
    command: -notify-sighup dev_proxy_nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    container_name: dev_proxy_gen
    networks:
      - auth
    volumes:
      - ./proxy/conf:/etc/nginx/conf.d
      - ./proxy/vhost:/etc/nginx/vhost.d
      - ./proxy/certs:/etc/nginx/certs:ro
      - ./proxy/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro

  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion:v1.13
    container_name: dev_proxy_le
    volumes:
      - ./proxy/vhost:/etc/nginx/vhost.d
      - ./proxy/html:/usr/share/nginx/html
      - ./proxy/certs:/etc/nginx/certs
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - NGINX_PROXY_CONTAINER=dev_proxy_nginx
      - NGINX_DOCKER_GEN_CONTAINER=dev_proxy_gen

In the file proxy/nginx.tmpl I added the following lines:

modsecurity on;
modsecurity_rules_file /etc/modsecurity.d/include.conf;

All the modsecurity config is in files located in ./proxy/modsecurity.d

[luzmane]

Hi,
I created a new image to use instead of a pure nginx image using Dockerfile into luzmane\nginx and used in docker-compose.yml.
modsecurity.conf in conf.d folder turn the ModSecurity on.

Please note that if the request flow ends with a return directive inside a location directive, phase 2 of ModSecurity will not be executed. It took me time to reach this conclusion.