docker nginx with modsecurity, njs, geoip2, lua, dynamic_upstream
docker pull sreinfrasystemjp/docker-nginx-modsecurity
docker run --rm \
-p 10080:80 \
-v $(pwd)/log:/var/log/nginx \
sreinfrasystemjp/docker-nginx-modsecurity
curl https://localhost:10080/
| target | function | note |
|---|---|---|
| PCIDSS 6.6 WAF | nginx modsecurity v3 + crs | |
| GDPR mask ip address | nginx njs | https://www.nginx.com/blog/data-masking-user-privacy-nginscript/ |
| Get country code before mask ip address | nginx geoip2 | |
| Get distributed unique ID | nginx lua ( and katsubushi ) | https://speakerdeck.com/fujiwara3/katsubushi?slide=56 |
| Blue-Green Deployment | nginx dynamic_upstream | https://qiita.com/cubicdaiya/items/09023ca6ed056d3d1ed2 |
git clone https://github.com/sreinfrasystemjp/docker-nginx-modsecurity.git
cd docker-nginx-modsecurity
docker run --rm \
-p 10080:80 \
-v $(pwd)/log:/var/log/nginx \
sreinfrasystemjp/docker-nginx-modsecurity
# 200 OK
curl https://localhost:10080/
# 403 Forbidden
curl https://localhost:10080/?f=../../etc
tail log/access.log
tail log/error.log
tail log/modsec_audit.log
git clone https://github.com/sreinfrasystemjp/docker-nginx-modsecurity.git
cd docker-nginx-modsecurity
- log_format : see conf.d.mask_ip.geoip2.lua.dynamic_upstream/default.conf
log_format masked '$request_id $remote_addr_masked ' '$geoip2_country_code $geoip2_country_name $upstream_addr ...'; log_format nomask '$request_id $remote_addr_masked $remote_addr'; access_log /var/log/nginx/access.log masked; access_log /var/log/nginx/access.nomask.log nomask;
docker run --rm \
-p 10080:80 \
-v $(pwd)/log:/var/log/nginx \
-v $(pwd)/conf.d.mask_ip.geoip2.lua.dynamic_upstream:/etc/nginx/conf.d \
sreinfrasystemjp/docker-nginx-modsecurity
# njs : $remote_addr_masked : https://www.nginx.com/blog/data-masking-user-privacy-nginscript/
# geoip2: $geoip2_country_code $geoip2_country_name
# lua: /lua
curl https://localhost:10080/lua
tail log/access.log
tail log/access.nomask.log
docker run --rm \
-p 10080:80 \
-p 10443:443 \
-v $(pwd)/log:/var/log/nginx \
sreinfrasystemjp/docker-nginx-modsecurity
# download ca.der
curl -O https://localhost:10080/ca.der
# install ca.der into your browser
# edit your /etc/hosts
127.0.0.1 localhost nginx.docker.test nginx.example.com nginx.example.jp
# browser access
https://localhost:10443/
https://nginx.docker.test:10443/
https://nginx.example.com:10443/
https://nginx.example.jp:10443/
| role | Subject | Date |
|---|---|---|
| self CA | C=JP/ST=Earth/L=Japan/O=localhost/CN=localhost | 2019-04-03 - 2039-03-29 |
| server | C=JP/ST=Asia/L=Japan/O=localhost/CN=localhost | 2019-04-03 - 2029-03-31 |
-
server's SAN
localhost docker.test *.docker.test example.com *.example.com example.jp *.example.jp
| nginx setting | file | note |
|---|---|---|
| ssl_certificate | conf/nginx.crt | self CA crt + server crt |
| ssl_certificate_key | conf/server.key | server key |
download ca.der from
https://github.com/sreinfrasystemjp/docker-nginx-modsecurity/blob/master/conf/ca.der
or
https://localhost:10080/ca.der
and install ca.der into your browser
-
chrome
-
firefox
docker run --rm \
--name nginx_dynamic \
-p 10080:80 \
-p 10081:81 \
-p 10082:82 \
-p 10443:443 \
-v $(pwd)/log:/var/log/nginx \
sreinfrasystemjp/docker-nginx-modsecurity
# download ca.der
curl -O https://localhost:10080/ca.der
# install ca.der into your browser
# edit your /etc/hosts
127.0.0.1 localhost dynamic.docker.test
# browser direct access (blue)
https://dynamic.docker.test:10081/
# browser direct access (green)
https://dynamic.docker.test:10082/
# browser access (blue)
https://dynamic.docker.test:10443/
# change blue(127.0.0.1:81) -> green(127.0.0.1:82)
docker exec -it nginx_dynamic /bin/bash
curl "https://127.0.0.1/dynamic?upstream=zoneapp"
curl "https://127.0.0.1/dynamic?upstream=zoneapp&server=127.0.0.1:82&up="
curl "https://127.0.0.1/dynamic?upstream=zoneapp&server=127.0.0.1:81&down="
cd /etc/nginx/conf
ln -sf upstream.app.green.conf upstream.app.conf
ls -al upstream.app.*
curl "https://127.0.0.1/dynamic?upstream=zoneapp"
# browser access (green)
https://dynamic.docker.test:10443/
# check log $upstream_addr
tail log/access.log
Apache License 2.0
This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com
- Library's License