Move <MODSEC> to base http {} block in an effort to minimize KNOWN modsec memory leaks.

Author: baudneo

docker/rootfs/etc/cont-init.d/97_modsecurity.sh

@@ -33,14 +33,14 @@ fi
 # Enable modsecurity in the server block of :80 and :443
 # Can disable this (default) and add the modsec directives in each ___location block
 if [ "${MODSEC_ENABLE}" == "1" ] || [ "${MODSEC_ENABLE}" -eq 1 ]; then
-  log "Enabling modsecurity in server block of port 80 and 443"
-  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/default.conf
-  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/default.conf
+  message="Enabling modsecurity in ROOT http block"
+  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/nginx.conf
+  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/nginx.conf
+  # Enabled modsecurity in the server block of :81 (admin dashboard)
+  if [ "${MODSEC_ADMIN_PANEL}" == "0" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 0 ]; then
+    log "${message} and DISABLING in Admin dashboard port 81"
+    sed -i "s|#<MODSEC_ON>|modsecurity off;|g" /etc/nginx/conf.d/production.conf
+  else
+    log "${message} and Admin dashboard port 81"
+  fi
 fi
-# Enabled modsecurity in the server block of :81 (admin dashboard)
-if [ "${MODSEC_ADMIN_PANEL}" == "1" ] || [ "${MODSEC_ADMIN_PANEL}" -eq 1 ]; then
-  log "Enabling modsecurity in server block of admin dashboard port 81"
-  sed -i "s|#<MODSEC_ON>|modsecurity on;|g" /etc/nginx/conf.d/production.conf
-  sed -i "s|#<MODSEC_RULES>|modsecurity_rules_file /etc/nginx/modsec/main.conf;|g" /etc/nginx/conf.d/production.conf
-
-fi

docker/rootfs/etc/nginx/nginx.conf

@@ -56,7 +56,8 @@ http {
         map $host $forward_scheme {
                 default http;
         }
-
+        #<MODSEC_ON>
+        #<MODSEC_RULES>
         # Real IP Determination
 
         # Local subnets:

local-build.sh

@@ -19,13 +19,15 @@ export BUILD_VERSION=dev
 export BUILD_COMMIT=
 export BUILD_DATE="$(date '+%Y-%m-%d %T %Z')"
 export SSL_CERTS_PATH="/etc/ssl/certs/GTS_Root_R1.pem"
-echo -e "${YELLOW}❯❯❯ ${CYAN}Running ${RED}'scripts/frontend-build'${RESET}"
-bash ./scripts/frontend-build
-echo -e "${YELLOW}❯❯❯ ${CYAN}Completed ${RED}'frontend-build'${RESET}"
-# Build
+
+# Build FrontEnd
+#echo -e "${YELLOW}❯❯❯ ${CYAN}Running ${RED}'scripts/frontend-build'${RESET}"
+#bash ./scripts/frontend-build
+#echo -e "${YELLOW}❯❯❯ ${CYAN}Completed ${RED}'frontend-build'${RESET}"
+
+# Build Final Image
 echo -e "${BLUE}❯ ${CYAN}Building ${RED}LOCAL ${CYAN}Image [${DOCKER_IMAGE}] with tag: ${YELLOW}${BASE_TAG}${CYAN}...${RESET}"
 docker build \
-        \
         --build-arg BUILD_VERSION="${BUILD_VERSION:-dev}" \
         --build-arg BUILD_COMMIT="${BUILD_COMMIT:-notset}" \
         --build-arg BUILD_DATE="${BUILD_DATE}" \