owasp/modsecurity-crs:{nginx/apache} as a standalone webserver

[Captainzalad]

Hello,
I am getting hard to run a quick apache/nginx webserver + waf for demonstration purposes,
I would prefer to use owasp/modsecurity image as a standalone server rather than a reverse proxy,
I followed the documentation for both modsecurity with and without crs, but no success.
here is my issues:

docker run -p 8080:80 -owasp/modsecurity-crs:nginx-alpine

after running the above command, under localhost:8080 nginx always services 50x.html rather than index.html

curl -v localhost:8080

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:13:19 GMT
< Content-Type: text/html
< Content-Length: 494
< Connection: keep-alive
< ETag: "6193c877-1ee"

I've tried to map public_html directory to modify/add my own indexes

docker run -p 8080:80 -v myPATH:/usr/share/nginx/html/ -owasp/modsecurity-crs:nginx-alpine

the container provides only these two files:

ls -lah myPath
-rw-r--r--  1 root root 1.0M Feb 23 22:24 modsec-shared-collections
-rw-r--r--  1 root root 8.0K Feb 23 22:24 modsec-shared-collections-lock

the GET result of localhost:8080

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:25:31 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive

I've also tried different supported variants, and changed environment variables, but no success.
the Apache variant serves nothing and ended up in an endless loop!

From what I understand, the images meant to be an easy implementation. am I missing something? or the images should be used only as reverse proxy?

appreciate any help
regards.

[fzipi]

Hi @Captainzalad, sorry for the delay. As a matter of fact, this was a feature in the past.

If you look at https://github.com/coreruleset/modsecurity-crs-docker#notes-regarding-reverse-proxy, it should be supported. But looking at the implementation, it is clearly not supported anymore 🤔 .

Now reverse proxy is the default mode. What I can do is create a new EMBEDDED mode, that should work as you expect. Give me a couple days to work it out.

[fzipi]

Some of the fixes I'm working will collide with my solution for this, so I'm pushing this a bit further in time.

[ne20002]

I'm pretty sure it is possible to use the owasp/modsecurity-crs in standalone mode. This is what I did:

I have two pods (using podman instead of docker, but I'm sure that does not matter here): one with Nextcloud, the other with Friendica. Both used an nginx as web server in front of the php-fpm image.

• I replaced the nginx container with the owasp:modsecurity.crs. It worked out of the box, as
• the nginx.conf is unchanged and mapped in the container in /etc/nginx/nginx.conf
• The owasp/modsecurity-crs container however required the nginx.conf to be writable so I can't mount it ro mode. But it did not any changes to the file.
• I added the necessary lines to include modsecurity into the nginx.conf
• I did not pass any of the env variables documented in hub.docker.com for the owasp/modsecurity-crs container
  That's it.

[fzipi]

Thanks for the comment.

[Ben-Atherton]

I'd be keen on a standalone version too.