Dockerfile is unable to create the image with modsecurity

[Ziemowit]

When trying to build the nginx image with modsecurity I am getting:

debconf: delaying package configuration, since apt-utils is not installed
Fetched 14.4 MB in 5s (2925 kB/s)
Selecting previously unselected package libssl-dev:amd64.
(Reading database ... 19708 files and directories currently installed.)
Preparing to unpack .../00-libssl-dev_1.1.1n-0+deb11u3_amd64.deb ...
Unpacking libssl-dev:amd64 (1.1.1n-0+deb11u3) ...
Selecting previously unselected package libpcre2-16-0:amd64.
Preparing to unpack .../01-libpcre2-16-0_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-16-0:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-32-0:amd64.
Preparing to unpack .../02-libpcre2-32-0_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-32-0:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-posix2:amd64.
Preparing to unpack .../03-libpcre2-posix2_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-posix2:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package libpcre2-dev:amd64.
Preparing to unpack .../04-libpcre2-dev_10.36-2+deb11u1_amd64.deb ...
Unpacking libpcre2-dev:amd64 (10.36-2+deb11u1) ...
Selecting previously unselected package zlib1g-dev:amd64.
Preparing to unpack .../05-zlib1g-dev_1%3a1.2.11.dfsg-2+deb11u2_amd64.deb ...
Unpacking zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Selecting previously unselected package icu-devtools.
Preparing to unpack .../06-icu-devtools_67.1-7_amd64.deb ...
Unpacking icu-devtools (67.1-7) ...
Selecting previously unselected package libicu-dev:amd64.
Preparing to unpack .../07-libicu-dev_67.1-7_amd64.deb ...
Unpacking libicu-dev:amd64 (67.1-7) ...
Selecting previously unselected package libxml2-dev:amd64.
Preparing to unpack .../08-libxml2-dev_2.9.10+dfsg-6.7+deb11u3_amd64.deb ...
Unpacking libxml2-dev:amd64 (2.9.10+dfsg-6.7+deb11u3) ...
Selecting previously unselected package libyajl2:amd64.
Preparing to unpack .../09-libyajl2_2.1.0-3_amd64.deb ...
Unpacking libyajl2:amd64 (2.1.0-3) ...
Selecting previously unselected package libyajl-dev:amd64.
Preparing to unpack .../10-libyajl-dev_2.1.0-3_amd64.deb ...
Unpacking libyajl-dev:amd64 (2.1.0-3) ...
Selecting previously unselected package libcurl4-openssl-dev:amd64.
Preparing to unpack .../11-libcurl4-openssl-dev_7.74.0-1.3+deb11u3_amd64.deb ...
Unpacking libcurl4-openssl-dev:amd64 (7.74.0-1.3+deb11u3) ...
Selecting previously unselected package patchelf.
Preparing to unpack .../12-patchelf_0.12-1_amd64.deb ...
Unpacking patchelf (0.12-1) ...
Setting up libyajl2:amd64 (2.1.0-3) ...
Setting up libpcre2-16-0:amd64 (10.36-2+deb11u1) ...
Setting up libpcre2-32-0:amd64 (10.36-2+deb11u1) ...
Setting up libcurl4-openssl-dev:amd64 (7.74.0-1.3+deb11u3) ...
Setting up libssl-dev:amd64 (1.1.1n-0+deb11u3) ...
Setting up icu-devtools (67.1-7) ...
Setting up libpcre2-posix2:amd64 (10.36-2+deb11u1) ...
Setting up libyajl-dev:amd64 (2.1.0-3) ...
Setting up zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Setting up patchelf (0.12-1) ...
Setting up libicu-dev:amd64 (67.1-7) ...
Setting up libpcre2-dev:amd64 (10.36-2+deb11u1) ...
Setting up libxml2-dev:amd64 (2.9.10+dfsg-6.7+deb11u3) ...
Setting up nginx-module-modsecurity-build-deps (1.23.3+1.0.3-1~bullseye) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...
+ make module-modsecurity BASE_VERSION=1.23.3 NGINX_VERSION=1.23.3
===> Building nginx-module-modsecurity package
 dpkg-buildpackage -us -uc -ui
dpkg-buildpackage: info: source package nginx-module-modsecurity
dpkg-buildpackage: info: source version 1.23.3+1.0.3-1~bullseye
dpkg-buildpackage: info: source distribution bullseye
dpkg-buildpackage: info: source changed by Nginx Packaging <[email protected]>
 dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
 debian/rules clean
dh_testdir
dh_testroot
dh_clean
rm -rf /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-*
find /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3 -maxdepth 1 -size 0 -delete
 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building nginx-module-modsecurity using existing ./nginx-module-modsecurity_1.23.3+1.0.3.orig.tar.gz
dpkg-source: info: building nginx-module-modsecurity in nginx-module-modsecurity_1.23.3+1.0.3-1~bullseye.debian.tar.xz
dpkg-source: info: building nginx-module-modsecurity in nginx-module-modsecurity_1.23.3+1.0.3-1~bullseye.dsc
 debian/rules build
dh_testdir
mkdir -p /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/auto /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/conf /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
if ! test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure ; then ln -s /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/auto/configure /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure ; fi
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/configure /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/contrib /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
if test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/man ; then  cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/man /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/ ; fi
if test -e /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/docs ; then cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/docs /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/ ; fi
cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/src /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
test -d /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/extra && cp -Pa /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/extra /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/
touch config.env.nginx
dh_testdir
cd /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/extra/modsecurity-82f75dc0ce134c639df6c33bd610519bd4e90e42 && rm -rf others/libinjection && ln -s ../../libinjection others/libinjection && rm -rf test/test-cases/secrules-language-tests && ln -s ../../../secrules-language-tests test/test-cases/secrules-language-tests && rm -rf bindings/python && ln -s ../../modsecurity-python-bindings bindings/python && ./build.sh && ./configure --prefix /pkg-oss/debian/debuild-module-modsecurity/nginx-1.23.3/debian/build-nginx/extra/modsecurity-82f75dc0ce134c639df6c33bd610519bd4e90e42/local --without-lmdb --without-lua && /usr/bin/make -j8 install && /usr/bin/make check-TESTS
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'build'.
libtoolize: copying file 'build/libtool.m4'
libtoolize: copying file 'build/ltoptions.m4'
libtoolize: copying file 'build/ltsugar.m4'
libtoolize: copying file 'build/ltversion.m4'
libtoolize: copying file 'build/lt~obsolete.m4'
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
configure.ac:50: installing './ar-lib'
configure.ac:50: installing './compile'
configure.ac:147: installing './config.guess'
configure.ac:147: installing './config.sub'
configure.ac:45: installing './install-sh'
configure.ac:45: installing './missing'
parallel-tests: installing './test-driver'
examples/multiprocess_c/Makefile.am: installing './depcomp'
configure.ac: installing './ylwrap'
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking whether make sets $(MAKE)... (cached) yes
./configure: line 4854: PKG_PROG_PKG_CONFIG: command not found
configure: Nothing about YAJL was informed during the configure phase. Trying to detect it on the platform...
configure: YAJL library was not found
configure: Nothing about GeoIP was informed during the configure phase. Trying to detect it on the platform...
configure: GeoIP library was not found
configure: Nothing about MaxMind was informed during the configure phase. Trying to detect it on the platform...
configure: MaxMind library was not found
configure: Support for LMDB was disabled by the utilization of --without-lmdb or --with-lmdb=no
*** LOOKING AT PATH:  /usr/lib
*** LOOKING AT PATH:  /usr/local/lib
*** LOOKING AT PATH:  /usr/local/fuzzy
*** LOOKING AT PATH:  /usr/local/libfuzzy
*** LOOKING AT PATH:  /usr/local
*** LOOKING AT PATH:  /opt
*** LOOKING AT PATH:  /usr
*** LOOKING AT PATH:  /usr/lib64
*** LOOKING AT PATH:  /opt/local
configure: SSDEEP library was not found
configure: Support for LUA was disabled by the utilization of --without-lua or --with-lua=no
checking for libcurl config script... /usr/bin/curl-config
configure: curl VERSION: 7.74.0 
configure: curl LDADD: 
checking if libcurl is at least v... yes, 7.74.0 
checking if libcurl is linked with gnutls... no
configure: using curl v7.74.0 
checking for libxml2 config script... /usr/bin/xml2-config
configure: xml VERSION: 2.9.10
configure: xml CFLAGS: -I/usr/include/libxml2 -DWITH_LIBXML2
configure: xml LDADD: -lxml2
checking if libxml2 is at least v2.6.29... yes, 2.9.10
configure: using libxml2 v2.9.10
checking for libpcre config script... no
configure: *** pcre library not found.
configure: error: pcre library is required
make: *** [debian/rules:47: config.pre.nginx] Error 1
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
debuild: fatal error at line 1182:
dpkg-buildpackage -us -uc -ui failed
real 11.56
user 9.26
sys 0.99
make: *** [Makefile:212: module-modsecurity] Error 29
+ find ../../ -maxdepth 1 -mindepth 1 -type f -name *.deb -exec mv -v {} /tmp/packages/ ;
+ BUILT_MODULES= modsecurity
+ echo BUILT_MODULES=" modsecurity"
Removing intermediate container 0918959076b8
 ---> b5913a1bceaa
Step 6/8 : FROM nginx:mainline
 ---> 3964ce7b8458
Step 7/8 : COPY --from=builder /tmp/packages /tmp/packages
 ---> Using cache
 ---> cf0e8f23aa50
Step 8/8 : RUN set -ex     && apt update     && . /tmp/packages/modules.env     && for module in $BUILT_MODULES; do            apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-${module}_${NGINX_VERSION}*.deb;        done     && rm -rf /tmp/packages     && rm -rf /var/lib/apt/lists/
 ---> Running in 7a94ab2f5292
+ apt update

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [210 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
Fetched 8616 kB in 4s (2357 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
+ . /tmp/packages/modules.env
+ BUILT_MODULES= modsecurity
+ apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-modsecurity_1.23.3*.deb

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
E: Unsupported file /tmp/packages/nginx-module-modsecurity_1.23.3*.deb given on commandline
The command '/bin/sh -c set -ex     && apt update     && . /tmp/packages/modules.env     && for module in $BUILT_MODULES; do            apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-${module}_${NGINX_VERSION}*.deb;        done     && rm -rf /tmp/packages     && rm -rf /var/lib/apt/lists/' returned a non-zero code: 100

Should I change something in provided Dockerfile to make it work? Or it is an issue?

[thresheek]

Hi @Ziemowit !

This looks like a bug in modsecurity module packaging, with regards to wrong build dependencies. I'll work on fixing it.

Thank you!

[thresheek]

As a temporary workaround you can apply a following patch:

diff --git a/modules/Dockerfile b/modules/Dockerfile
index 1cce673..9747d68 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -15,7 +15,7 @@ RUN set -ex \
     && apt install -y --no-install-suggests --no-install-recommends \
                 patch make wget mercurial devscripts debhelper dpkg-dev \
                 quilt lsb-release build-essential libxml2-utils xsltproc \
-                equivs git g++ libparse-recdescent-perl \
+                equivs git g++ libparse-recdescent-perl libpcre3-dev \
     && XSLSCRIPT_SHA512="f7194c5198daeab9b3b0c3aebf006922c7df1d345d454bd8474489ff2eb6b4bf8e2ffe442489a45d1aab80da6ecebe0097759a1e12cc26b5f0613d05b7c09ffa *stdin" \
     && wget -O /tmp/xslscript.pl https://hg.nginx.org/xslscript/raw-file/01dc9ba12e1b/xslscript.pl \
     && if [ "$(cat /tmp/xslscript.pl | openssl sha512 -r)" = "$XSLSCRIPT_SHA512" ]; then \

[thresheek]

For what it's worth, the underlying issue is fixed in the current master branch in modsecurity: owasp-modsecurity/ModSecurity@791964a

So upgrading modsecurity to when they release a new version will automatically fix that for us too without the need of the aforementioned workaround.

[Ziemowit]

Thank you for a quick action!

[Ziemowit]

Ok, so to finish installation of modsec after successful build as I understand I need to provide my own files:

1. File /etc/nginx/nginx.conf

with load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; line.

2. File with servers & locations definitions

server {
    ...
    modsecurity             on;
    modsecurity_rules_file  /etc/nginx/modsec/modsecurity.conf;

    location / {
      ....
    }
}

Am I correct?

[thresheek]

Hi @Ziemowit, yes that's correct.

[unbaiat]

sed -i 's/libparse-recdescent-perl \/libparse-recdescent-perl libpcre3-dev \/' Dockerfile

ps. yes, I know. but it ain't stupid if it works