update the files to use official image with minor changes

PHOENIX-MEDIA · Dec 5, 2024 · 62756f7 · 62756f7
1 parent 4696b57
commit 62756f7
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 9 deletions.
diff --git a/templates/modsecurity-crs-configmap.yaml b/templates/modsecurity-crs-configmap.yaml
@@ -0,0 +1,11 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
+data:
+{{- range $key, $value := .Values.waf.config }}
+  {{ $key }}: |-
+{{ $value | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/templates/modsecurity-crs-deployment.yaml b/templates/modsecurity-crs-deployment.yaml
@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: modsecurity-crs
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
   annotations: {{ toYaml .Values.waf.annotations | nindent 4 }}
   labels: {{ toYaml .Values.waf.labels | nindent 4 }}
 spec:
@@ -26,11 +26,20 @@ spec:
           ports:
             - containerPort: 8080
               name: http
-          readinessProbe: {{ toYaml .Values.waf.readinessProbe | nindent 12 }}
-          livenessProbe: {{ toYaml .Values.waf.livenessProbe | nindent 12 }}
           env:
             - name: PORT
               value: "8080"
             {{ toYaml .Values.waf.env | nindent 12 }}
+
+          volumeMounts:
+            - name: modsecurity-configmap
+              mountPath: /docker-entrypoint.d/999-phoenix-proxy-behaviour.sh
+              subPath: entrypoint.sh
+
+      volumes:
+        - name: modsecurity-configmap
+          configMap:
+            name: {{ .Values.waf.name | default "modsecurity-crs" }}
+            defaultMode: 0777
     dnsPolicy: ClusterFirst
 {{- end -}}
diff --git a/templates/modsecurity-crs-service.yaml b/templates/modsecurity-crs-service.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: modsecurity-crs
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
 spec:
   type: ClusterIP
   clusterIP: None

diff --git a/values.yaml b/values.yaml
@@ -849,8 +849,8 @@ waf:
   #annotations: {}
   #labels: {}
   #image:
-  #  repository: phoenixmedia/modsecurity-crs
-  #  tag: main
+  #  repository: owasp/modsecurity-crs:nginx-alpine
+  #  tag: 4.9.0-nginx-alpine-202412020312
   #  pullPolicy: Always
   #env:
   #  # see more configuration options here: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/README.md

diff --git a/values_waf.yaml b/values_waf.yaml
@@ -380,13 +380,25 @@ waf:
   annotations: {}
   labels: {}
   image:
-    repository: phoenixmedia/modsecurity-crs
-    tag: main
+    repository: owasp/modsecurity-crs:nginx-alpine
+    tag: 4.9.0-nginx-alpine-202412020312
     pullPolicy: Always
   env:
     # see more configuration options here: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/README.md
     # keep in mind that this is a nginx image...
     # Replace <NAMESPACE> with the actual namespace where you are deploying
+    - name: MODSEC_DEBUG_LOG
+      value: "/dev/stdout"
+    - name: MODSEC_DEBUG_LOGLEVEL
+      value: "9"
+    - name: MODSEC_RULE_ENGINE
+      value: "DetectionOnly"
+    # CRS specific variables
+    - name: PARANOIA
+      value: "3"
+    - name: BLOCKING_PARANOIA
+      value: "3"
+    # PROXY variables
     - name: BACKEND
       value: "http://magento.<NAMESPACE>.svc.cluster.local:80"  # Forward traffic to magento
   resources:
@@ -411,4 +423,41 @@ waf:
     # if the probe fails 3 times within 30 seconds, the pod will get restarted
     periodSeconds: 10
     timeoutSeconds: 1
-    failureThreshold: 3
+    failureThreshold: 3
+  config:
+    entrypoint.sh: |-
+      #!/bin/sh
+
+      sed -i \
+      -e 's|^proxy_set_header X-Forwarded-For .*$|proxy_set_header X-Forwarded-For $http_x_forwarded_for;|' \
+      -e 's|^proxy_set_header X-Forwarded-Port .*$|proxy_set_header X-Forwarded-Port $http_x_forwarded_port;|' \
+      -e 's|^proxy_set_header X-Forwarded-Proto .*$|proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;|' \
+      /etc/nginx/includes/proxy_backend.conf
+
+      # Remove unnecessary rules
+      cat <<EOF >> /etc/modsecurity.d/modsecurity-override.conf
+      SecRuleRemoveByTag "language-aspnet"
+      SecRuleRemoveByTag "language-java"
+      SecRuleRemoveByTag "language-ldap"
+      SecRuleRemoveByTag "language-perl"
+      SecRuleRemoveByTag "language-powershell"
+      SecRuleRemoveByTag "language-ruby"
+
+      SecRuleRemoveByTag "platform-db2"
+      SecRuleRemoveByTag "platform-emc"
+      SecRuleRemoveByTag "platform-firebird"
+      SecRuleRemoveByTag "platform-frontbase"
+      SecRuleRemoveByTag "platform-hsqldb"
+      SecRuleRemoveByTag "platform-iis"
+      SecRuleRemoveByTag "platform-informix"
+      SecRuleRemoveByTag "platform-interbase"
+      SecRuleRemoveByTag "platform-internet-explorer"
+      SecRuleRemoveByTag "platform-maxdb"
+      SecRuleRemoveByTag "platform-msaccess"
+      SecRuleRemoveByTag "platform-mssql"
+      SecRuleRemoveByTag "platform-oracle"
+      SecRuleRemoveByTag "platform-pgsql"
+      SecRuleRemoveByTag "platform-sybase"
+      SecRuleRemoveByTag "platform-tomcat"
+      SecRuleRemoveByTag "platform-windows"
+      EOF