add modsec

Signed-off-by: Zoey <zoey@z0ey.de> Update Dockerfile
2025-08-03 16:03:38 +00:00 · 2023-05-18 17:03:35 +02:00
parent 73842be397
commit 7e6612467f
13 changed files with 151 additions and 114 deletions
--- a/rootfs/bin/start.sh
+++ b/rootfs/bin/start.sh
@@ -188,6 +188,7 @@ mkdir -vp /data/tls/certbot/renewal \
          /data/etc/html \
          /data/etc/access \
          /data/etc/crowdsec \
+          /data/etc/modsecurity \
          /data/nginx/redirection_host \
          /data/nginx/proxy_host \
          /data/nginx/dead_host \
@@ -318,6 +319,7 @@ find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \;
 find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \;

 touch /data/etc/html/index.html \
+      /data/etc/modsecurity/modsecurity.conf \
      /data/nginx/default.conf \
      /data/nginx/ip_ranges.conf \
      /data/nginx/custom/root.conf \
@@ -332,6 +334,9 @@ touch /data/etc/html/index.html \
      /data/nginx/custom/server_stream_tcp.conf \
      /data/nginx/custom/server_stream_udp.conf

+cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
+cp -v /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
+
 if [ -z "$NPM_CERT_ID" ]; then
    export NPM_CERT=/data/tls/dummycert.pem
    export NPM_KEY=/data/tls/dummykey.pem
--- a/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/block-exploits.conf
@@ -131,6 +131,34 @@ if ($http_user_agent ~ "GrabNet") {
    set $block_user_agents 1;
 }

+if ($http_user_agent ~ "Amazonbot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Applebot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Bingbot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Facebookbot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Googlebot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "LinkedInBot") {
+    set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "Twitterbot") {
+    set $block_user_agents 1;
+}
+
 if ($block_user_agents = 1) {
    return 403;
 }
--- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
@@ -12,6 +12,9 @@ server {
    include conf.d/include/force-tls.conf;
    include conf.d/include/tls-ciphers.conf;
    include conf.d/include/block-exploits.conf;
+
+    modsecurity on;
+    modsecurity_rules_file /usr/local/nginx/conf/conf.d/include/modsecurity.conf;
    
    #ssl_certificate ;
    #ssl_certificate_key ;