Skip to content
This repository has been archived by the owner on Aug 1, 2021. It is now read-only.

Latest commit

 

History

History
61 lines (38 loc) · 2.29 KB

README.md

File metadata and controls

61 lines (38 loc) · 2.29 KB

Docker Cloud Build Status Docker Pulls GitHub Twitter Follow

NGINX WAF Docker Container

This is a production ready, unofficial build of the NGINX web application firewall.

NGINX WAF is NGINX coupled with ModSecurity 3.0.

Tags

There are currently three moving tags, stable, mainline and latest.

stable is the recommended tag to use.

mainline is updated more frequently with new features and is paired to the master branch.

Usage

There are a couple of ways you can use this image.

For example config refer to tests/nginx-conf.d/example.conf.

The easiest way is to mount a volume containing your NGINX config files as /etc/nginx/conf.d.

The other option is to use this as a base image and copy your config into a custom image.

Mounting a volume makes it easier to get going. Although if you build your own image you get the benefits of having your configuration in source control.

The other important aspect of using this is application tuned ModSecurity config files. There are two base config files modsec.conf and modsec-detectiononly.conf. But you should create custom ModSecurity config files for each application you are protecting.

This allows you to fine tune the rules that are enabled. For example there is no point processing PHP specific rules for Java or c# apps. These can be disabled by using the SecRuleRemoveByTag directive. For example SecRuleRemoveByTag "language-php" will disable rules specific to PHP apps.

You will additionally need to fine tune the enabled rules for application specific false positives. The SecRuleRemoveById directive will allow you to disable specific rules that are false positives for your application.

And don't forget to mount a volume for /var/log.

Example NGINX Config Files

I'm putting example config files under example-conf.

Copy what you want into your /etc/nginx/conf.d volume.

Contributing

I'm more than happy to receive contributions.

But if you have an idea please create an issue first so we can discuss it.