From 3b7e5a573c5419e0cba99182b11f455c308b6b61 Mon Sep 17 00:00:00 2001
From: Unknown <tan.jia.le.98@gmail.com>
Date: Wed, 2 May 2018 23:52:58 +0800
Subject: [PATCH] Revert to original README

---
 Dockerfile.alpine |  2 +-
 nginx.tmpl        | 43 +++++++++++++++++++++++++++++++++++++++++++
 rules.json        | 29 +++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 rules.json

diff --git a/Dockerfile.alpine b/Dockerfile.alpine
index c65f88c..e9a4509 100644
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -1,4 +1,4 @@
-FROM nginx:1.13-alpine
+FROM rizemon/nginx-mod:latest
 LABEL maintainer="Jason Wilder mail@jasonwilder.com"
 
 # Install wget and install/updates certificates
diff --git a/nginx.tmpl b/nginx.tmpl
index 39e38f7..ec1a4df 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -1,3 +1,6 @@
+{{/* Load the json that returns a list of rule names mapped to its respective filepath */}}
+{{ $RULES := parseJson $.Env.RULES }}
+
 {{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
 
 {{ define "upstream" }}
@@ -293,6 +296,26 @@ server {
 		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
 		include /etc/nginx/vhost.d/default_location;
 		{{ end }}
+
+		{{/* $INCLUDES return the resulting list of rules to be included */}}
+		{{ $INCLUDES := keys ( groupByMulti $containers "Env.INCLUDES" "," ) }}
+
+		{{ if ( ne ( len $INCLUDES ) 0 ) }} 
+			modsecurity on;
+			modsecurity_rules '
+				{{/* Loop through each rule in the order specified in $RULES */}}
+				{{ range $index, $obj := $RULES }}
+					{{ $NAME := index $obj "NAME" }}
+					{{ $PATH := index $obj "PATH" }}
+					{{/* If the rule is required to be included*/}}
+					{{ range $INCLUDE := $INCLUDES }}
+						{{ if (eq $NAME $INCLUDE ) }}
+							Include {{ $PATH }}
+						{{ end }}
+					{{ end }}
+				{{ end }}
+			';
+		{{ end }}
 	}
 }
 
@@ -339,6 +362,26 @@ server {
 		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
 		include /etc/nginx/vhost.d/default_location;
 		{{ end }}
+
+		{{/* $INCLUDES return the resulting list of rules to be included */}}
+		{{ $INCLUDES := keys ( groupByMulti $containers "Env.INCLUDES" "," ) }}
+
+		{{ if ( ne ( len $INCLUDES ) 0 ) }} 
+			modsecurity on;
+			modsecurity_rules '
+				{{/* Loop through each rule in the order specified in $RULES */}}
+				{{ range $index, $obj := $RULES }}
+					{{ $NAME := index $obj "NAME" }}
+					{{ $PATH := index $obj "PATH" }}
+					{{/* If the rule is required to be included*/}}
+					{{ range $INCLUDE := $INCLUDES }}
+						{{ if (eq $NAME $INCLUDE ) }}
+							Include {{ $PATH }}
+						{{ end }}
+					{{ end }}
+				{{ end }}
+			';
+		{{ end }}
 	}
 }
 
diff --git a/rules.json b/rules.json
new file mode 100644
index 0000000..6a680f2
--- /dev/null
+++ b/rules.json
@@ -0,0 +1,29 @@
+[
+        {"NAME":"MODSEC","PATH":"/etc/nginx/modsecurity.conf"},
+        {"NAME":"SETUP","PATH":"/etc/nginx/crs-setup.conf"},
+        {"NAME":"BEFORE","PATH":"/etc/nginx/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"},
+        {"NAME":"INIT","PATH":"/etc/nginx/rules/REQUEST-901-INITIALIZATION.conf"},
+        {"NAME":"COMMON","PATH":"/etc/nginx/rules/REQUEST-905-COMMON-EXCEPTIONS.conf"},
+        {"NAME":"IP-REP","PATH":"/etc/nginx/rules/REQUEST-910-IP-REPUTATION.conf"},
+        {"NAME":"METHOD-ENF","PATH":"/etc/nginx/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"},
+        {"NAME":"DOS","PATH":"/etc/nginx/rules/REQUEST-912-DOS-PROTECTION.conf"},
+        {"NAME":"SCANNER","PATH":"/etc/nginx/rules/REQUEST-913-SCANNER-DETECTION.conf"},
+        {"NAME":"PROTO-ENF","PATH":"/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"},
+        {"NAME":"PROTO-ATK","PATH":"/etc/nginx/rules/REQUEST-921-PROTOCOL-ATTACK.conf"},
+        {"NAME":"LFI","PATH":"/etc/nginx/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"},
+        {"NAME":"RFI","PATH":"/etc/nginx/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"},
+        {"NAME":"RCE","PATH":"/etc/nginx/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"},
+        {"NAME":"PHP","PATH":"/etc/nginx/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"},
+        {"NAME":"XSS","PATH":"/etc/nginx/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"},
+        {"NAME":"SQLI","PATH":"/etc/nginx/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"},
+        {"NAME":"SESSION","PATH":"/etc/nginx/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"},
+        {"NAME":"REQ-EVAL","PATH":"/etc/nginx/rules/REQUEST-949-BLOCKING-EVALUATION.conf"},
+        {"NAME":"LEAK","PATH":"/etc/nginx/rules/RESPONSE-950-DATA-LEAKAGES.conf"},
+        {"NAME":"LEAK-SQL","PATH":"/etc/nginx/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"},
+        {"NAME":"LEAK-JAVA","PATH":"/etc/nginx/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf"},
+        {"NAME":"LEAK-PHP","PATH":"/etc/nginx/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"},
+        {"NAME":"LEAK-IIS","PATH":"/etc/nginx/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf"},
+        {"NAME":"RES-EVAL","PATH":"/etc/nginx/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"},
+        {"NAME":"COOR","PATH":"/etc/nginx/rules/RESPONSE-980-CORRELATION.conf"},
+        {"NAME":"AFTER","PATH":"/etc/nginx/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"}
+]
\ No newline at end of file