vshn/modsecurity Docker Image Overview

vshn/modsecurity

A custom Docker image based on the official ModSecurity CRS image.

2 收藏0 次下载

⏱️ 镜像拉取更稳定，部署项目不再心跳加速

镜像简介版本下载

⏱️ 镜像拉取更稳定，部署项目不再心跳加速

ModSecurity Docker image

![dockeri.co]([***]

![License]([***]

Based on the official owasp/modsecurity-crs image.

Contains the necessary tweaks to run on OpenShift.
Uses the GeoLite2 Country Database provided by MaxMind under the CC BY-SA 4.0 license.
Includes ClamAV anti-virus scanner provided by Cisco-TALOS under the GPL v2 (or later) license.

Supported Tags

![latest]( [] ![size/layers]( [] ![based on]( [***] (v3.1)
![3.1]( [] ![size/layers]( [] ![based on]( [***] (ModSecurity 2, CRS v3.1)

Usage

Ad-hoc usage and debugging:

console
$ docker run -p 80:80 -it -e PARANOIA=4 --rm vshn/modsecurity bash

With a Dockerfile:

Dockerfile
FROM vshn/modsecurity:3.1

ENV PARANOIA=1 \
    ANOMALY_INBOUND=500 \
    ANOMALY_OUTBOUND=400 \
    PORT=8000 \
    BACKEND=[***]

VOLUME /opt/modsecurity/rules/before-crs
VOLUME /opt/modsecurity/rules/after-crs
VOLUME /var/log/modsecurity
VOLUME /tmp/modsecurity

With Docker Compose to start a ModSecurity and a httpbin container:

console
cd v3.1
docker-compose up

When the containers are running, you can make requests like:

console
curl -i http://localhost:8080/anything

curl -i -H 'Host: vshn.ch' http://localhost:8080/anything

curl -i http://localhost:8080/cookies/set/secret/random-value

For all supported endpoints have a look at httpbin.org.

Configuration

There are a variety of environment variables available to configure the image.

Most important are the following ones:

PARANOIA (Default: 1)
- Ranging from 1-4. Have a look at the section 'What are paranoia levels, and which level should I choose?' at coreruleset.org/faq/.
ANOMALY_INBOUND (Default: 1000)
- inbound anomaly score threshold; start with 1000 and try to bring it down to 5
ANOMALY_OUTBOUND (Default: 1000)
- outbound anomaly score threshold; start with 1000 and try to bring it down to 4
PORT (Default: 8080)
- Port the Apache process should listen on
BACKEND
- The IP/URL of the service which should be secured by ModSecurity.
BACKEND_WS
- The IP/URL of the WebSocket service (if used)

ModSecurity

RULE_ENGINE
- SecRuleEngine
REQ_BODY_ACCESS
- SecRequestBodyAccess
RESP_BODY_ACCESS
- SecResponseBodyAccess
REQ_BODY_LIMIT
- SecResponseBodyLimit
RESP_BODY_LIMIT
- SecRequestBodyLimit
REQ_BODY_NOFILES_LIMIT
- SecRequestBodyNoFilesLimit
PCRE_MATCH_LIMIT
- SecPcreMatchLimit
PCRE_MATCH_LIMIT_RECURSION
- SecPcreMatchLimitRecursion
MODSEC_TAG
- SecDefaultAction tag
MODSEC_ALLOWED_METHODS
- tx.allowed_methods
MODSEC_ALLOWED_CONTENT
- tx.allowed_request_content_type
MODSEC_MAX_NUM_ARGS
- tx.max_num_args
MODSEC_ARG_NAME_LENGTH
- tx.arg_name_length
MODSEC_ARGS_COMBINED_SIZE
- tx.total_arg_length
MODSEC_MAX_FILE_SIZE
- tx.max_file_size
MODSEC_MAX_COMBINED_SIZE
- t***bined_file_sizes
MODSEC_DEBUG_LOG
- SecDebugLog
MODSEC_DEBUG_LOGLEVEL
- SecDebugLogLevel
MODSEC_AUDIT_LOG_TYPE
- SecAuditLogType
MODSEC_AUDIT_LOG_FORMAT
- SecAuditLogFormat
MODSEC_AUDIT_LOG
- SecAuditLog
MODSEC_AUDIT_STORAGE
- SecAuditLogStorageDir

For the default values look at the Dockerfile.

Apache

APACHE_RUN_USER
- system user the Apache process should use
APACHE_RUN_GROUP
- system group the Apache process should use
HTTPD_MAX_REQUEST_WORKERS
- MaxRequestWorkers (in mpm_event module configuration)
SERVER_NAME
- ServerName (in default site)
SERVER_ADMIN
- ServerAdmin (in default site)
APACHE_LOGLEVEL
- LogLevel (in default site)
APACHE_ERRORLOG
- ErrorLog (in default site)
APACHE_ACCESSLOG
- CustomLog (in default site)
APACHE_PERFLOG
- CustomLog (in default site)
REMOTEIP_INT_PROXY
- RemoteIPInternalProxy (in default site)
REQ_HEADER_FORWARDED_PROTO
- X-Forwarded-Proto RequestHeader (in default site)
APACHE_TIMEOUT
- Timeout (in Apache configuration)
PROXY_PRESERVE_HOST (Default: on)
- ProxyPreserveHost (in default site)
PROXY_SSL (Default: off)
- SSLProxyEngine, can be on or off (in default site). PROXY_PRESERVE_HOST should be turned off to fully validate backend certificates (including host name).
PROXY_SSL_VERIFY (Default: none)
- SSLProxyVerify, specifies the level of certificate verification (none, optional, require, optional_no_ca).
PROXY_SSL_CHECK_PEER_NAME (Default: on)
- SSLProxyCheckPeerName, can be on or off. Wether the host name of the backend certificate should be checked or not. If PROXY_PRESERVE_HOST is on, this should be off.
PROXY_SSL_CA_CERT (Default: /etc/ssl/certs/ca-certificates.crt)
- SSLProxyCACertificateFile (in default site)
PROXY_TIMEOUT
- ProxyTimeout (in default site)

For the default values look at the Dockerfile.

ClamAV Anti Virus

CLAMD_SERVER (Default: 127.0.0.1)
- host/ip of server running clamd
CLAMD_PORT (Default: 3310)
- port on which clamd is listening
CLAMD_DEBUG_LOG (Default: off)
- whether ClamAV scanning should log debug messages

Logging

Following the 12-factor app guidelines we're logging audit, error and access logs to the console, and let the cluster's logging stack deal with the output:

Audit Log (Default: JSON to stdout)
- see MODSEC_AUDIT_LOG
ErrorLog (Default: JSON to stdout)
- see APACHE_ERRORLOG
CustomLog (Default: JSON to stdout)
- see APACHE_ACCESSLOG
- see APACHE_PERFLOG

You should mount /tmp/modsecurity onto a scratch space, such as an emptyDir volume. Configured settings are:

MODSEC_DATA_DIR (Default: /tmp/modsecurity/data)
- SecDataDir
MODSEC_TMP_DIR (Default: /tmp/modsecurity/tmp)
- SecTmpDir
MODSEC_UPLOAD_DIR (Default: /tmp/modsecurity/upload)
- SecUploadDir

Custom rules

Mount your custom rules

at /opt/modsecurity/rules/before-crs/ to load them before the Core Rule Set and
at /opt/modsecurity/rules/after-crs/ to load them after the CRS has been loaded.

All custom rule files must end in .conf in order to be loaded.

Credits

This product includes GeoLite2 data created by MaxMind, available from [***]

查看更多 modsecurity 相关镜像 →

owasp/modsecurity-crs

官方OWASP核心规则集Docker镜像（ModSecurity+核心规则集）

1111M+ pulls

上次更新：未知

轩辕镜像配置手册

探索更多轩辕镜像的使用方法，找到最适合您系统的配置方式

登录仓库拉取

通过 Docker 登录认证访问私有仓库

Linux

在 Linux 系统配置镜像服务

Windows/Mac

在 Docker Desktop 配置镜像

Docker Compose

Docker Compose 项目配置

K8s Containerd

Kubernetes 集群配置 Containerd

K3s

K3s 轻量级 Kubernetes 镜像加速

Dev Containers

VS Code Dev Containers 配置

MacOS OrbStack

MacOS OrbStack 容器配置

宝塔面板

在宝塔面板一键配置镜像

群晖

Synology 群晖 NAS 配置

飞牛

飞牛 fnOS 系统配置镜像

极空间

极空间 NAS 系统配置服务

爱快路由

爱快 iKuai 路由系统配置

绿联

绿联 NAS 系统配置镜像

威联通

QNAP 威联通 NAS 配置

Podman

Podman 容器引擎配置

Singularity/Apptainer

HPC 科学计算容器配置

其他仓库配置

ghcr、Quay、nvcr 等镜像仓库

专属域名拉取

无需登录使用专属域名

需要其他帮助？请查看我们的常见问题Docker 镜像访问常见问题解答或提交工单

镜像拉取常见问题

轩辕镜像免费版与专业版有什么区别？

免费版仅支持 Docker Hub 访问，不承诺可用性和速度；专业版支持更多镜像源，保证可用性和稳定速度，提供优先客服响应。

轩辕镜像支持哪些镜像仓库？

专业版支持 docker.io、gcr.io、ghcr.io、registry.k8s.io、nvcr.io、quay.io、mcr.microsoft.com、docker.elastic.co 等；免费版仅支持 docker.io。

流量耗尽错误提示

当返回 402 Payment Required 错误时，表示流量已耗尽，需要充值流量包以恢复服务。

410 错误问题

通常由 Docker 版本过低导致，需要升级到 20.x 或更高版本以支持 V2 协议。

manifest unknown 错误

先检查 Docker 版本，版本过低则升级；版本正常则验证镜像信息是否正确。

镜像拉取成功后，如何去掉轩辕镜像域名前缀？

使用 docker tag 命令为镜像打上新标签，去掉域名前缀，使镜像名称更简洁。

查看全部问题→

用户好评

来自真实用户的反馈，见证轩辕镜像的优质服务

oldzhang

运维工程师

Linux服务器

"Docker访问体验非常流畅，大镜像也能快速完成下载。"