diff --git a/images/nginx/build.sh b/images/nginx/build.sh index a21f741a1..60db58b5e 100755 --- a/images/nginx/build.sh +++ b/images/nginx/build.sh @@ -198,6 +198,29 @@ sh build.sh make make install +# Download owasp modsecurity crs +cd /etc/nginx/ +git clone -b v3.1/dev --single-branch https://github.com/SpiderLabs/owasp-modsecurity-crs +cd owasp-modsecurity-crs +git checkout ce36edef52c17ad4d607d435477511d1b6dbe162 + +mv crs-setup.conf.example crs-setup.conf +mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf +cd .. + +# Download modsecurity.conf +mkdir modsecurity +cd modsecurity +curl -sSL -o modsecurity.conf https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/dev/performance/modsecurity.conf-recommended + +# OWASP CRS v3 rules +MODSEC_DIR=/etc/nginx/owasp-modsecurity-crs +MODSEC_CONF=$MODSEC_DIR/nginx-modsecurity.conf +echo "Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf" > $MODSEC_CONF +ls $MODSEC_DIR/rules/REQUEST-* | xargs -n 1 echo "Include" >> $MODSEC_CONF +ls $MODSEC_DIR/rules/RESPONSE-* | xargs -n 1 echo "Include" >> $MODSEC_CONF + # build nginx cd "$BUILD_PATH/nginx-$NGINX_VERSION" @@ -322,51 +345,3 @@ cp $HUNTER_INSTALL_DIR/lib/libthrift* /usr/local/lib rm /usr/local/lib/libthrift*.a rm -rf $HOME/.hunter - -# Download owasp modsecurity crs -cd /etc/nginx/ -git clone -b v3.1/dev --single-branch git@github.com:SpiderLabs/owasp-modsecurity-crs.git -cd owasp-modsecurity-crs -git checkout ce36edef52c17ad4d607d435477511d1b6dbe162 - -mv crs-setup.conf.example crs-setup.conf -mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -cd .. - -# Download modsecurity.conf -mkdir modsecurity -cd modsecurity -curl -sSL -o modsecurity.conf https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/dev/performance/modsecurity.conf-recommended - -# OWASP CRS v3 rules -echo " -Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf -" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf diff --git a/images/nginx/srv b/images/nginx/srv new file mode 100644 index 000000000..04368d1fe --- /dev/null +++ b/images/nginx/srv @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: 2018-01-26T16:58:16Z + labels: + app: helm-infra-nginx-ingress + chart: helm-infra-nginx-ingress-0.1.54 + heritage: Tiller + release: helm-cmp-delivery-platform + name: ingress-nginx-external + namespace: ingress-nginx + resourceVersion: "1296893" +spec: + ports: + - name: http-web + nodePort: 31505 + port: 80 + protocol: TCP + targetPort: http-web + - name: https-web + nodePort: 31089 + port: 443 + protocol: TCP + targetPort: https-web + selector: + app: ingress-nginx-external + sessionAffinity: None + type: LoadBalancer + diff --git a/test.sh b/test.sh new file mode 100755 index 000000000..70424d9c6 --- /dev/null +++ b/test.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -e +CGROUP_CPU=/sys/fs/cgroup/cpu/cpu.shares +if [ -f "$CGROUP_CPU" ]; then + SHARES=$(cat $CGROUP_CPU) + CPUS=$(($SHARES / 1024)) + echo "$SHARES detected in the cgroup, rounds down to $CPUS cpus" +else + echo "No CGroup shares detected, will use default value of auto" + CPUS="auto" +fi +