owasp/modsecurity-crs:{nginx/apache} as a standalone webserver

[Captainzalad]

Hello,
I am getting hard to run a quick apache/nginx webserver + waf for demonstration purposes,
I would prefer to use owasp/modsecurity image as a standalone server rather than a reverse proxy,
I followed the documentation for both modsecurity with and without crs, but no success.
here is my issues:

docker run -p 8080:80 -owasp/modsecurity-crs:nginx-alpine

after running the above command, under localhost:8080 nginx always services 50x.html rather than index.html

curl -v localhost:8080

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:13:19 GMT
< Content-Type: text/html
< Content-Length: 494
< Connection: keep-alive
< ETag: "6193c877-1ee"

I've tried to map public_html directory to modify/add my own indexes

docker run -p 8080:80 -v myPATH:/usr/share/nginx/html/ -owasp/modsecurity-crs:nginx-alpine

the container provides only these two files:

ls -lah myPath
-rw-r--r--  1 root root 1.0M Feb 23 22:24 modsec-shared-collections
-rw-r--r--  1 root root 8.0K Feb 23 22:24 modsec-shared-collections-lock

the GET result of localhost:8080

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.20.2
< Date: Wed, 23 Feb 2022 21:25:31 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive

I've also tried different supported variants, and changed environment variables, but no success.
the Apache variant serves nothing and ended up in an endless loop!

From what I understand, the images meant to be an easy implementation. am I missing something? or the images should be used only as reverse proxy?

appreciate any help
regards.

[fzipi]

Hi @Captainzalad, sorry for the delay. As a matter of fact, this was a feature in the past.

If you look at https://github.com/coreruleset/modsecurity-crs-docker#notes-regarding-reverse-proxy, it should be supported. But looking at the implementation, it is clearly not supported anymore 🤔 .

Now reverse proxy is the default mode. What I can do is create a new EMBEDDED mode, that should work as you expect. Give me a couple days to work it out.

[fzipi]

Some of the fixes I'm working will collide with my solution for this, so I'm pushing this a bit further in time.

[ne20002]

I'm pretty sure it is possible to use the owasp/modsecurity-crs in standalone mode. This is what I did:

I have two pods (using podman instead of docker, but I'm sure that does not matter here): one with Nextcloud, the other with Friendica. Both used an nginx as web server in front of the php-fpm image.

• I replaced the nginx container with the owasp:modsecurity.crs. It worked out of the box, as
• the nginx.conf is unchanged and mapped in the container in /etc/nginx/nginx.conf
• The owasp/modsecurity-crs container however required the nginx.conf to be writable so I can't mount it ro mode. But it did not any changes to the file.
• I added the necessary lines to include modsecurity into the nginx.conf
• I did not pass any of the env variables documented in hub.docker.com for the owasp/modsecurity-crs container
  That's it.

[fzipi]

Thanks for the comment.

[Ben-Atherton]

I'd be keen on a standalone version too.

[webysther]

I'll add some ideas here. I like how Authelia works using auth_request, which allows you to process the request internally by calling another docker/server/upstream/vm/bare, which allows it to work with practically any type of proxy/architecture. I wonder why CRS isn't like that too? I believe that sending the request to a docker that can be created with any proxy that returns 200 or 4xx to determine whether the request can proceed or not makes more sense (for security because of isolations too!). It would allow you to add it to environments that already have SSL configured and there would be no need to perform migration. Another possibility is to allow it to be implemented per host gradually. Below is the image that the Authelia project uses, but I added the CRS to illustrate:

[webysther]

I even thought about using auth_request with the crs which wasn't made for this but might make sense for the purpose.

Just a brain fart sample:

server {
    listen 80;
    server_name example.com;

    location / {
        auth_request /crs;
        auth_request_set $crs_status $upstream_status;
        error_page 403 = @error_crs;
        auth_request /authelia;
        error_page 401 = @error_auth;
        proxy_pass http://backend;
    }

    location /crs {
        internal;
        proxy_pass http://crs-docker:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
    }

    location /authelia {
        internal;
        proxy_pass http://authelia-docker:9091/api/verify;
        proxy_set_header Content-Length "";
        proxy_pass_request_body off;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header X-Forwarded-Method $request_method;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location @error_crs {
        return 403;
    }

    location @error_auth {
        proxy_pass http://authelia:9091/api/error;
    }
}

[webysther]

Looks like I'm talk about openappsec: