librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

fix CVE-2022-1304 for autoconf, add missing load_module for ngx_stream_lua_module.so and fix missing -lpcre in configure step

This commit is contained in:
bunkerity 2023-03-07 09:46:31 +01:00
parent 01fab41620
commit 5e31b6c4ae
3 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/autoconf/Dockerfile
View File

@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "libcom_err>=1.46.6-r0"
VOLUME /data /etc/nginx

1
src/common/confs/nginx.conf
View File

@ -8,6 +8,7 @@ load_module /usr/share/bunkerweb/modules/ngx_http_lua_module.so;
load_module /usr/share/bunkerweb/modules/ngx_http_modsecurity_module.so;
load_module /usr/share/bunkerweb/modules/ngx_http_brotli_filter_module.so;
load_module /usr/share/bunkerweb/modules/ngx_http_brotli_static_module.so;
load_module /usr/share/bunkerweb/modules/ngx_stream_lua_module.so;
# PID file
pid /var/tmp/bunkerweb/nginx.pid;

8
src/deps/install.sh
View File

@ -127,10 +127,10 @@ do_and_check_cmd cp -r /tmp/bunkerweb/deps/src/lua-resty-env/src/resty/env.lua /
echo " Compiling and installing dynamic modules"
CONFARGS="$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')"
CONFARGS="${CONFARGS/-Os -fomit-frame-pointer -g/-Os}"
CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt=-Wl/--with-ld-opt='-lpcre -Wl'/")"
if [ "$OS" = "fedora" ] ; then
CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'/--with-ld-opt=-lpcre/" | sed "s/--with-cc-opt='.*'//")"
fi
CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='/--with-ld-opt='-lpcre /")"
# if [ "$OS" = "fedora" ] ; then
# CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'/--with-ld-opt=-lpcre/" | sed "s/--with-cc-opt='.*'//")"
# fi
echo '#!/bin/bash' > "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerweb/deps/src/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerweb/deps/src/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerweb/deps/src/lua-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_brotli --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_devel_kit --add-dynamic-module=/tmp/bunkerweb/deps/src/stream-lua-nginx-module" >> "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
do_and_check_cmd chmod +x "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"