fix CVE-2021-20205 and examples update

Dockerfile

@@ -16,6 +16,9 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp

Dockerfile-amd64

@@ -16,6 +16,9 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp

Dockerfile-arm32v7

@@ -23,6 +23,9 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp

Dockerfile-arm64v8

@@ -23,6 +23,9 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp

Dockerfile-i386

@@ -16,6 +16,9 @@ COPY lua/ /opt/lua
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
+# fix CVE-2021-20205
+RUN apk add "libjpeg-turbo>=2.1.0-r0"
+
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
 
 EXPOSE 8080/tcp 8443/tcp

examples/autoconf-reverse-proxy/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - USE_CLIENT_CACHE=yes
+      - USE_PROXY_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/crowdsec/docker-compose.yml

@@ -34,7 +34,7 @@ services:
       - net2
 
   mycrowdsec:
-    image: crowdsecurity/crowdsec:v1.0.2
+    image: crowdsecurity/crowdsec:v1.0.13
     restart: always
     volumes:
       - ./acquis.yaml:/etc/crowdsec/acquis.yaml

examples/drupal/docker-compose.yml

@@ -0,0 +1,43 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./drupal-files:/www:ro
+      - ./letsencrypt:/etc/letsencrypt
+      #- ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Drupal exclusions
+    environment:
+      - SERVER_NAME=www.website.com             # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - MAX_CLIENT_SIZE=50m
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - REMOTE_PHP=mydrupal
+      - REMOTE_PHP_PATH=/var/www/html
+
+  mydrupal:
+    image: drupal:fpm-alpine
+    restart: always
+    volumes:
+      - ./drupal-files:/var/www/html
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
+      - MYSQL_DATABASE=drupaldb
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password

examples/drupal/modsec-crs-confs/drupal.conf

@@ -0,0 +1,7 @@
+SecAction \
+ "id:900130,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.crs_exclusions_drupal=1"

examples/ghost/docker-compose.yml

@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      #- ./modsec-crs-confs:/modsec-crs-confs:ro              # fix FP with CRS
+    environment:
+      - SERVER_NAME=www.website.com                          # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://myghost:2368/
+
+  myghost:
+    image: ghost:alpine
+    volumes:
+      - ./data-ghost:/
+    environment:
+      - url=https://www.website.com                          # replace with your domain

examples/ghost/modsec-crs-confs/gogs.conf

@@ -0,0 +1,7 @@
+SecAction \
+ "id:900220,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"

examples/gogs/docker-compose.yml

@@ -0,0 +1,31 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./modsec-crs-confs:/modsec-crs-confs:ro              # fix FP with CRS
+    environment:
+      - SERVER_NAME=www.website.com                          # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://mygogs:3000/
+
+  mygogs:
+    image: gogs/gogs
+    volumes:
+      - ./data-gogs:/data

examples/gogs/modsec-crs-confs/gogs.conf

@@ -0,0 +1,7 @@
+SecAction \
+ "id:900220,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"

examples/joomla/docker-compose.yml

@@ -0,0 +1,46 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./joomla-files:/www:ro
+      - ./letsencrypt:/etc/letsencrypt
+    environment:
+      - SERVER_NAME=www.website.com             # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - MAX_CLIENT_SIZE=50m
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - REMOTE_PHP=myjoomla
+      - REMOTE_PHP_PATH=/var/www/html
+
+  myjoomla:
+    image: joomla:fpm-alpine
+    restart: always
+    volumes:
+      - ./joomla-files:/var/www/html
+    environment:
+      - JOOMLA_DB_HOST=mydb
+      - JOOMLA_DB_NAME=joomladb
+      - JOOMLA_DB_USER=user
+      - JOOMLA_DB_PASSWORD=db-user-pwd          # replace with a stronger password (must match MYSQL_PASSWORD)
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
+      - MYSQL_DATABASE=joomladb
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match JOOMLA_DB_PASSWORD)

examples/load-balancer/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/moodle/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - MAX_CLIENT_SIZE=50m
       - SERVE_FILES=no
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/multisite-basic/docker-compose.yml

@@ -25,7 +25,6 @@ services:
       - app2.website.com_REMOTE_PHP=myapp2
       - app2.website.com_REMOTE_PHP_PATH=/app
       - app3.website.com_SERVE_FILES=no
-      - app3.website.com_USE_CLIENT_CACHE=no
       - app3.website.com_USE_PROXY_CACHE=yes
       - app3.website.com_USE_REVERSE_PROXY=yes
       - app3.website.com_REVERSE_PROXY_URL=/

examples/multisite-custom-server-confs/docker-compose.yml

@@ -27,9 +27,9 @@ services:
       - wp.website.com_REMOTE_PHP_PATH=/var/www/html
       - nc.website.com_REMOTE_PHP=mync
       - nc.website.com_REMOTE_PHP_PATH=/var/www/html
-      - nc.website.com_LIMIT_REQ_RATE=40r/s
+      - nc.website.com_LIMIT_REQ_RATE=5r/s
-      - nc.website.com_LIMIT_REQ_BURST=60
+      - nc.website.com_LIMIT_REQ_BURST=10
-      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
       - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
       - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
     networks:

examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf

@@ -1 +1,2 @@
 SecRuleRemoveById 921110
+SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"

examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf

@@ -1 +1,4 @@
+SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
+SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
+SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
 SecRuleRemoveById 953120

examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf

@@ -12,4 +12,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

examples/nextcloud/docker-compose.yml

@@ -23,16 +23,16 @@ services:
       - USE_CLIENT_CACHE=yes
       - REMOTE_PHP=mync
       - REMOTE_PHP_PATH=/var/www/html
-      - LIMIT_REQ_RATE=40r/s
+      - LIMIT_REQ_RATE=5r/s
-      - LIMIT_REQ_BURST=60
+      - LIMIT_REQ_BURST=10
-      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
       - X_FRAME_OPTIONS=SAMEORIGIN
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - FAIL2BAN_STATUS_CODE=400|401|403|405|444
 
   mync:
-    image: nextcloud:20-fpm
+    image: nextcloud:21-fpm
     restart: always
     volumes:
       - ./nc-files:/var/www/html

examples/nextcloud/modsec-confs/nextcloud.conf

@@ -1 +1,2 @@
 SecRuleRemoveById 921110
+SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"

examples/nextcloud/modsec-crs-confs/nextcloud.conf

@@ -12,4 +12,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

examples/passbolt/docker-compose.yml

@@ -20,6 +20,7 @@ services:
       - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
       - SERVE_FILES=no
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/redmine/docker-compose.yml

@@ -0,0 +1,47 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+    environment:
+      - SERVER_NAME=www.website.com             # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://myredmine:3000/
+
+  redmine:
+    image: redmine
+    restart: always
+    volumes:
+      - ./redmine-data:/usr/src/redmine/files
+    environment:
+      - REDMINE_DB_MYSQL=mydb
+      - REDMINE_DB_DATABASE=redminedb
+      - REDMINE_DB_USERNAME=user
+      - REDMINE_DB_PASSWORD=db-user-pwd         # replace with a stronger password (must match MYSQL_PASSWORD)
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
+      - MYSQL_DATABASE=redminedb
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match REDMINE_DB_PASSWORD)

examples/reverse-proxy-multisite/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/reverse-proxy-singlesite/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/reverse-proxy-websocket/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/swarm/stack.yml

@@ -32,7 +32,7 @@ services:
         mode: host
         protocol: tcp
     volumes:
-      - /shared/confs:/etc/nginx:ro
+      - /shared/confs:/etc/nginx
       - /shared/letsencrypt:/etc/letsencrypt:ro
       - /shared/acme-challenge:/acme-challenge:ro
       - /shared/www:/www:ro
@@ -45,6 +45,7 @@ services:
       - AUTO_LETS_ENCRYPT=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
     networks:
       - net_config
       - net_services
@@ -86,6 +87,7 @@ services:
           - "node.role==worker"
       labels:
         - "bunkerized-nginx.SERVER_NAME=app2.website.com"
+        - "bunkerized-nginx.USE_PROXY_CACHE=yes"
         - "bunkerized-nginx.USE_REVERSE_PROXY=yes"
         - "bunkerized-nginx.REVERSE_PROXY_URL=/"
         - "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"

examples/tomcat/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
       - USE_PROXY_CACHE=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - USE_REVERSE_PROXY=yes

examples/web-ui/docker-compose.yml

@@ -18,6 +18,7 @@ services:
       - AUTO_LETS_ENCRYPT=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
+      - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
       - USE_BROTLI=yes
       - admin.website.com_SERVE_FILES=no

examples/wordpress/docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - ./letsencrypt:/etc/letsencrypt
       - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
       - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
+      - ./modsec-confs:/modsec-confs:ro         # avoid some FP with CRS
     environment:
       - SERVER_NAME=www.website.com             # replace with your domain
       - AUTO_LETS_ENCRYPT=yes

examples/wordpress/modsec-confs/wordpress.conf

@@ -0,0 +1,4 @@
+SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
+SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
+SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
+SecRuleRemoveById 953120