This docker container creates a basic nginx server that proxies incoming SSL/TLS calls to a target host after they have been processed by the ModSecurity Web Application Firewall (WAF).

In other words, it allows you to:

• Protect against a wide range (but not all) of web attacks using ModSecurity Web Application Firewall
• To configure an SSL/TLS certificate for a specific host
• It uses Nginx proxy to direct traffic to your host. It can be placed "in front" of your host.

ModSecurity protects against web attacks by looking for:

• SQL Injection
• Ensuring the content type matches the body data.
• Protection against malformed POST requests.
• HTTP Protocol Protection
• Real-time Blacklist Lookups
• HTTP Denial of Service Protections
• Generic Web Attack Protection

The implementation of a Web Application Firewall will never be the perfect and undefeated solution for your security issues at the level of your application. But it will for sure boost your security level. For this matter, I have run a full security audit using Burp Suite Pro against one of the most vulnerable web application called DVWA (Damn Vulnerable Web Application).

Unprotected DVWA	Protected DVWA

As you can see, this docker container is a significant boost to the security of the application.

The following environment variables configure nginx:

• SEC_RULE_ENGINE: set value for SecRuleEngine (default value: DetectionOnly)
• HTTP_VERSION: Sets the HTTP protocol version for proxying. (default value: 1.1)
• DOMAIN: domain in the SSL certificate (default value: www.example.com)
• TARGET_PORT: target port for the reverse proxy (default value: 80)
• TARGET_HOST: target host for the reverse proxy (default value: proxyapp)
• TARGET_HOST_HEADER: value to be used as the Host header when sending requests to the target host (defaults to the value of $TARGET_HOST)
• CLIENT_MAX_BODY_SIZE: maximum size of client uploads (default value: 20M)
• SSL_PORT: port ngnix SSL proxy listens on

The SSL certificate is generated using a own-ROOT-ca that is available in the directory /etc/nginx/ca, you may use Docker volumes to share the CAs with other containers, so they can trust the installed certificate.

You can use existing SSL certificates for your DOMAIN by connecting an volume onto /usr/local/nginx/certs with following files inside:

• key.pem: private key file
• cert.pem: certificate file

The certificate generator will check on existing key.pem and abort.

You can get the publicly available docker image at the following location: web-security-docker

docker run -e SEC_RULE_ENGINE=On -e HTTP_VERSION=1.1 -e DOMAIN=testphp.vulnweb.com -e TARGET_PORT=80 -e TARGET_HOST=testphp.vulnweb.com -e CLIENT_MAX_BODY_SIZE=200M -e SSL_PORT=8443 -p 8443:8443 -v nginx-certs:/usr/local/nginx/certs nitesculucian/web-security-docker

First of all clone the git repository:

git clone [email protected]:NitescuLucian/web-security-docker.git

Example of docker-compose.yml:

version: '2'
services:
    waf:
        build: waf
        hostname: ngnix-security
        restart: always
        ports:
            - 8443:8443
        environment:
            - SEC_RULE_ENGINE=On
            - HTTP_VERSION=1.1
            - DOMAIN=testphp.vulnweb.com
            - TARGET_PORT=80
            - TARGET_HOST=testphp.vulnweb.com
            - CLIENT_MAX_BODY_SIZE=200M
            - SSL_PORT=8443
        volumes: ['nginx-certs:/usr/local/nginx/certs']
volumes: {"nginx-certs"}

Note that for the above configuration, the private key and certificate files will be available under /var/lib/docker/volumes/websecuritydocker_nginx-certs/_data folder.

Start everything up with:

docker-compose up --build

It is recommended to run SEC_RULE_ENGINE with DetectionOnly value to ensure that the implementation will not block any application functionality. If no alerts are to be detected on normal use of the application, you can change the value to Onto block potential attacks.

You can always contact me on:

• Twitter: @LucianNitescu
• Linkedin: Lucian Nitescu

For any security issue or bugs please use the github issue page and please provide sufficient information.

• docker-ssl-proxy: https://github.com/fsouza/docker-ssl-proxy
• docker-waf: https://github.com/theonemule/docker-waf

This docker container was designed for my personal needs, and I needed something understandable, easy to deploy and easy to use.