Move <MODSEC> to base http {} block in an effort to minimize KNOWN modsec memory leaks.

docker/rootfs/etc/cont-init.d/97_modsecurity.sh

@@ -33,14 +33,14 @@ fi
 # Enable modsecurity in the server block of :80 and :443
 # Can disable this (default) and add the modsec directives in each location block
 if [ "${MODSEC_ENABLE}" == "1" ] || [ "${MODSEC_ENABLE}" -eq 1 ]; then
-  log "Enabling modsecurity in server block of port 80 and 443"
-  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/default.conf
-  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/default.conf
+  message="Enabling modsecurity in ROOT http block"
+  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/nginx.conf
+  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/nginx.conf
+  # Enabled modsecurity in the server block of :81 (admin dashboard)
+  if [ "${MODSEC_ADMIN_PANEL}" == "0" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 0 ]; then
+    log "${message} and DISABLING in Admin dashboard port 81"
+    sed -i "s|#<MODSEC_ON>|modsecurity off;|g" /etc/nginx/conf.d/production.conf
+  else
+    log "${message} and Admin dashboard port 81"
+  fi
 fi
-# Enabled modsecurity in the server block of :81 (admin dashboard)
-if [ "${MODSEC_ADMIN_PANEL}" == "1" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 1 ]; then
-  log "Enabling modsecurity in server block of admin dashboard port 81"
-  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/production.conf
-  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/production.conf
-
-fi

docker/rootfs/etc/nginx/nginx.conf

@@ -56,7 +56,8 @@ http {
         map $host $forward_scheme {
                 default http;
         }
-
+        #<MODSEC_ON>
+        #<MODSEC_RULES>
         # Real IP Determination
 
         # Local subnets: