Modsecurity is working!

docker/rootfs/etc/cont-init.d/97_modsecurity.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+log() {
+  echo "[cont-init.d] $(basename "$0"): $*"
+}
+
+mkdir -p /data/modsec/ruleset
+ln -s /data/modsec/ /etc/nginx
+
+[ ! -f /data/modsec/main.conf ] && MODSEC_CREATE="1"
+
+if [ "${MODSEC_CREATE}" == "1" ] || [ "${MODSEC_CREATE}" -eq 1 ]; then
+  log "Setting up modsecurity persistent data"
+  cp /usr/local/modsecurity/templates/main.conf /data/modsec/main.conf
+  cp /usr/local/modsecurity/templates/modsecurity.conf /data/modsec/modsecurity.conf
+  cp /usr/local/modsecurity/templates/unicode.mapping /data/modsec/unicode.mapping
+  cp -r /usr/local/modsecurity/templates/* /data/modsec/
+  cp -r /usr/local/modsecurity/templates/ruleset/* /data/modsec/ruleset/
+  mv /data/modsec/ruleset/crs-setup.conf.example /data/modsec/ruleset/crs-setup.conf
+fi
+
+# Enable modsecurity in the server block of :80 and :443
+# Can disable this (default) and add the modsec directives in each location block
+if [ "${MODSEC_ENABLE}" == "1" ] || [ "${MODSEC_ENABLE}" -eq 1 ]; then
+  log "Enabling modsecurity in server block of port 80 and 443"
+  sed-patch "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/default.conf
+  sed-patch "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/default.conf
+fi
+# Enabled modsecurity in the server block of :81 (admin dashboard)
+if [ "${MODSEC_ADMIN_PANEL}" == "1" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 1 ]; then
+  log "Enabling modsecurity in server block of admin dashboard port 81"
+  sed-patch "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/production.conf
+  sed-patch "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/production.conf
+
+fi

docker/rootfs/etc/cont-init.d/98_logging-options.sh

@@ -4,26 +4,26 @@
 set -e # Exit immediately if a command exits with a non-zero status.
 set -u # Treat unset variables as an error.
 
+log() {
+  echo "[cont-init.d] $(basename "$0"): $*"
+}
+
 # Redirect admin panel logs from /dev/null to log files if enabled
 if [[ ${ADMIN_PANEL_LOG} == "1" ]] || [[ ${ADMIN_PANEL_LOG} -eq 1 ]]; then
-  echo "Enabling admin dashboard logging"
-  echo "ADMIN_PANEL_LOG = $ADMIN_PANEL_LOG"
+  log "Enabling admin dashboard logging"
   sed-patch 's|<ADMIN_ACCESS_LOG>|/data/logs/admin-panel_access.log standard|' /etc/nginx/conf.d/production.conf
   sed-patch 's|<ADMIN_ERROR_LOG>|/data/logs/admin-panel_error.log warn|' /etc/nginx/conf.d/production.conf
 else
-  echo "Leaving admin dashboard logging off (default behavior)"
-  echo "ADMIN_PANEL_LOG = $ADMIN_PANEL_LOG"
+  log "Leaving admin dashboard logging off (default behavior)"
   sed-patch 's|<ADMIN_ACCESS_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
   sed-patch 's|<ADMIN_ERROR_LOG>|/dev/null|' /etc/nginx/conf.d/production.conf
 fi
 
 if [[ ${OPENRESTY_DEBUG} == "1" ]] || [[ ${OPENRESTY_DEBUG} -eq 1 ]]; then
-  echo "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG"
-  echo "OPENRESTY_DEBUG = $OPENRESTY_DEBUG"
+  log "Changing OpenResty ERROR (fallback_error.log) logging to level: DEBUG"
   sed-patch 's|<ERROR_LOG_LEVEL>|debug|' /etc/nginx/nginx.conf
 
 else
-  echo "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)"
-  echo "OPENRESTY_DEBUG = $OPENRESTY_DEBUG"
+  log "Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)"
   sed-patch 's|<ERROR_LOG_LEVEL>|warn|' /etc/nginx/nginx.conf
 fi

docker/rootfs/etc/cont-init.d/99_crowdsec-openresty-bouncer.sh

@@ -9,9 +9,14 @@ log() {
 }
 
 if [ "${CROWDSEC_BOUNCER}" == "1" ] || [ "${CROWDSEC_BOUNCER}" -eq 1 ]; then
+  log "Enabling CrowdSec Bouncer"
   mkdir -p /data/crowdsec
   #Install Crowdsec Bouncer Config.
-  [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ] || cp /crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf
+  if [ -f /data/crowdsec/crowdsec-openresty-bouncer.conf ]; then
+    cp /crowdsec/crowdsec-openresty-bouncer.conf /data/crowdsec/crowdsec-openresty-bouncer.conf
+    log "Crowdsec Bouncer Config copied to /data/crowdsec/crowdsec-openresty-bouncer.conf"
+  fi
+
   mkdir -p /etc/nginx/lualib/plugins/crowdsec/
   cp /crowdsec/lua/* /etc/nginx/lualib/plugins/crowdsec/
   cp /crowdsec/crowdsec_openresty.conf /etc/nginx/conf.d/