Use nginx as base image instead of ubuntu

[bittner]

As announced in #32 (comment) we started to flatten selected branches into a directory structure on a new branch, called master:

• v2-apache/ <-- from v2/apache-apache
• v2-nginx/ <-- from v2/ubuntu-nginx
• v3-apache/ <-- from v3/apache-apache
• v3-nginx/ <-- from v3/nginx-nginx

The checkout-branches-to-folders.sh script documents where the structure comes from. (We will delete this script in future.)

Current State

3 of the 4 directories have unchanged content. For the ModSecurity v2 + Nginx combination, however, we don't have a branch we could have simply taken over. Hence, we used the v2/ubuntu-nginx branch instead, with the plan to refactor the image to base it on the nginx Docker image, as suggested by @csanders-git.

undefined symbol: curl_easy_setopt

We tried to build the ModSecurity standalone and integrate it into Nginx, taking the approach from v3/nginx-nginx as a role model.

Building the image works fine, but when we run Nginx the included ModSecurity binary complains about unresolved symbols:

$ docker run --rm modsec:v2-nginx
2019/12/10 18:17:43 [emerg] 1#1: dlopen() "/etc/nginx/modules/ngx_http_modsecurity_module.so" failed (/etc/nginx/modules/ngx_http_modsecurity_module.so: undefined symbol: curl_easy_setopt) in /etc/nginx/nginx.conf:1
nginx: [emerg] dlopen() "/etc/nginx/modules/ngx_http_modsecurity_module.so" failed (/etc/nginx/modules/ngx_http_modsecurity_module.so: undefined symbol: curl_easy_setopt) in /etc/nginx/nginx.conf:1

Can you help us with that? Are there some linker options we need to add to configure?

[simu]

I've spent some time trying to figure out whether the ModSecurity v2 nginx module can be built as a dynamic module using the following references:

• https://gorails.com/blog/how-to-compile-dynamic-nginx-modules
• https://gist.github.com/hermanbanken/96f0ff298c162a522ddbba44cad31081
• https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/
• https://www.nginx.com/resources/wiki/extending/converting/
• https://www.nginx.com/resources/wiki/extending/new_config/

Given the official nginx documentation, and comparing with the bundled nginx config of ModSecurity v2, I believe it is currently not possible to build ModSecurity v2 as a dynamic nginx module as the config is not a new-style config, and therefore doesn't support $nginx_module_link=DYNAMIC.

[bittner]

Thanks, Simon, for taking a closer look! That helped a lot. 👍

As an outcome, I suggest we leave the master branch as it is, with v2-nginx being based on ubuntu, and focus on getting the automatic builds on Docker Hub configured and working.

Future enhancements

In the long run, it would make sense to have all binaries built outside our Docker image, as "stable" versions, and only installed them (via apt-get install and the like). This would be to make the images more trustworthy, less risky (because not built on-the-fly). It will also significantly reduce build time.

If anyone has helpful input with regards to that please comment here. Thank you!

[simu]

I'd additionally suggest using make -j8 or make -j16 to run 8 or 16 compilation steps in parallel, which significantly reduces build time for (at least) ModSecurity v2 and nginx, as these C/C++ builds tend to be stuck in iowait a lot of the time if they're run single-threaded.

[bittner]

Side note: @zimmerle from SpiderLabs actively discourages the use of v2 with Nginx.

[bittner]

As a result of clarifications in issue #32 we will close down the effort of getting ModSecurity v2 + Nginx play well together in a Docker image. Same goes for the combination of ModSecurity v3 + Apache, at least for now.

Thanks everyone for your contribution to getting this clarified! 👍

Hence closing this PR.