Compare revisions

ale · ale · ale · ale · ale · ale
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,11 @@ COPY docker/conf /tmp/conf
 COPY docker/build.sh /tmp/build.sh
 COPY --from=gobuild /src/modsec_logger /usr/local/bin/modsec_logger
+# Install wp-cli in /usr/local/bin (aliased as "wp").
+ADD https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar /usr/local/bin/wp-cli.phar
+COPY docker/wp /usr/local/bin/wp
+RUN chmod 0755 /usr/local/bin/wp /usr/local/bin/wp-cli.phar
 RUN /tmp/build.sh && rm /tmp/build.sh
 # For testing purposes (8080 is the default port of apache2-php-base).

--- a/composer.json
+++ b/composer.json
@@ -64,12 +64,10 @@
        "wpackagist-theme/minimalism": "1.0.3",
        "wpackagist-theme/mnml": "1.3",
        "wpackagist-theme/ocular-professor": "1.3.1",
-        "wpackagist-theme/primepress": "1.4.1",
        "wpackagist-theme/rusty-grunge": "1.3",
        "wpackagist-theme/simplex": "2.0.1.3",
        "wpackagist-theme/tanzaku": "1.1.1",
        "wpackagist-theme/thematic": "1.0.4",
-        "wpackagist-theme/the-scenery": "0.93",
        "wpackagist-theme/threattocreativity": "3.2",
        "wpackagist-theme/twentyeleven": "4.2",
        "wpackagist-theme/twentyfifteen": "3.2",
@@ -112,7 +110,7 @@
        "wpackagist-plugin/katex": "2.2.3",
        "noblogs/eu-compliance": "0.1.0",
        "noblogs/nospam": "0.2.2",
-        "noblogs/themes-misc": "0.1.11",
+        "noblogs/themes-misc": "0.1.12",
        "stuttter/ludicrousdb": "5.0.0",
        "wpackagist-plugin/creative-commons": "^2021.04",
        "wpackagist-plugin/disable-remove-google-fonts": "1.4.2",

--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "33ee0fd94561568fddd30f5815bcfd48",
+    "content-hash": "a6cb6388e7e8a5f169a6528e6711486b",
    "packages": [
        {
            "name": "bjornjohansen/wplang",
@@ -684,16 +684,16 @@
        },
        {
            "name": "noblogs/themes-misc",
-            "version": "0.1.11",
+            "version": "0.1.12",
            "source": {
                "type": "git",
                "url": "https://git.autistici.org/noblogs/themes-misc.git",
-                "reference": "9dc6fcc04d655fddebd8f7e1963f935e7b783254"
+                "reference": "a1b4a21a3b177419cec89f02d110ac6b0f5b7e5b"
            },
            "dist": {
                "type": "zip",
-                "url": "https://git.autistici.org/api/v4/projects/487/packages/composer/archives/noblogs/themes-misc.zip?sha=9dc6fcc04d655fddebd8f7e1963f935e7b783254",
+                "url": "https://git.autistici.org/api/v4/projects/487/packages/composer/archives/noblogs/themes-misc.zip?sha=a1b4a21a3b177419cec89f02d110ac6b0f5b7e5b",
-                "reference": "9dc6fcc04d655fddebd8f7e1963f935e7b783254",
+                "reference": "a1b4a21a3b177419cec89f02d110ac6b0f5b7e5b",
                "shasum": ""
            },
            "type": "project",
@@ -1782,24 +1782,6 @@
            "type": "wordpress-theme",
            "homepage": "https://wordpress.org/themes/ocular-professor/"
        },
-        {
-            "name": "wpackagist-theme/primepress",
-            "version": "1.4.1",
-            "source": {
-                "type": "svn",
-                "url": "https://themes.svn.wordpress.org/primepress/",
-                "reference": "1.4.1"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://downloads.wordpress.org/theme/primepress.1.4.1.zip"
-            },
-            "require": {
-                "composer/installers": "^1.0 || ^2.0"
-            },
-            "type": "wordpress-theme",
-            "homepage": "https://wordpress.org/themes/primepress/"
-        },
        {
            "name": "wpackagist-theme/rusty-grunge",
            "version": "1.3",
@@ -1872,24 +1854,6 @@
            "type": "wordpress-theme",
            "homepage": "https://wordpress.org/themes/tanzaku/"
        },
-        {
-            "name": "wpackagist-theme/the-scenery",
-            "version": "0.93",
-            "source": {
-                "type": "svn",
-                "url": "https://themes.svn.wordpress.org/the-scenery/",
-                "reference": "0.93"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://downloads.wordpress.org/theme/the-scenery.0.93.zip"
-            },
-            "require": {
-                "composer/installers": "^1.0 || ^2.0"
-            },
-            "type": "wordpress-theme",
-            "homepage": "https://wordpress.org/themes/the-scenery/"
-        },
        {
            "name": "wpackagist-theme/thematic",
            "version": "1.0.4",

--- a/docker/build.sh
+++ b/docker/build.sh
@@ -27,6 +27,7 @@ PACKAGES="
        php-mbstring
        php-xml
        php-zip
+        openssl
        noblogs-cli
 "

--- a/docker/conf/modsecurity/crs/crs-setup.conf
+++ b/docker/conf/modsecurity/crs/crs-setup.conf
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
+# OWASP ModSecurity Core Rule Set ver.3.3.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -88,7 +88,7 @@
 # Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
 # - By default, offending requests are blocked with an error 403 response.
-# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
+# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
 #   and review section 'Changing the Disruptive Action for Anomaly Mode'.
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
@@ -98,7 +98,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass"
 # Example: Anomaly Scoring mode, log only to ModSecurity audit log
 # - By default, offending requests are blocked with an error 403 response.
-# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
+# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
 #   and review section 'Changing the Disruptive Action for Anomaly Mode'.
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
@@ -163,7 +163,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass"
 #   likely produce a very high number of FPs which have to be
 #   treated before the site can go productive.
 #
-# Rules in paranoia level 2 or higher will log their PL to the audit log;
+# All rules will log their PL to the audit log;
 # example: [tag "paranoia-level/2"]. This allows you to deduct from the
 # audit log how the WAF behavior is affected by paranoia level.
 #
@@ -383,30 +383,18 @@ SecAction \
 #  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 # Content-Types that a client is allowed to send in a request.
-# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
+# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
-# application/xml|application/soap+xml|application/x-amf|application/json|\
+# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
-# application/octet-stream|text/plain
+# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
+# |application/csp-report| |application/xss-auditor-report| |text/plain|
 # Uncomment this rule to change the default.
-#SecAction \
+SecAction \
-# "id:900220,\
+ "id:900220,\
-#  phase:1,\
+  phase:1,\
-#  nolog,\
+  nolog,\
-#  pass,\
+  pass,\
-#  t:none,\
+  t:none,\
-#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
+  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |application/activity+json| |text/plain|'"
-# Content-Types charsets that a client is allowed to send in a request.
-# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
-# Uncomment this rule to change the default.
-# Use "|" to separate multiple charsets like in the rule defining
-# tx.allowed_request_content_type.
-#SecAction \
-# "id:900270,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@@ -424,8 +412,8 @@ SecAction \
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
+# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900240,\
@@ -433,12 +421,12 @@ SecAction \
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
 # Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
-# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
+# Default: /proxy/ /lock-token/ /content-range/ /if/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900250,\
@@ -446,7 +434,7 @@ SecAction \
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
+#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
 # File extensions considered static files.
 # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
@@ -461,6 +449,18 @@ SecAction \
 #  t:none,\
 #  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
+# Content-Types charsets that a client is allowed to send in a request.
+# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
+# Uncomment this rule to change the default.
+# Use "|" to separate multiple charsets like in the rule defining
+# tx.allowed_request_content_type.
+#SecAction \
+# "id:900280,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
 #
 # -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
@@ -565,7 +565,7 @@ SecAction \
 # entry in the audit log (for performance reasons), but an error log entry is
 # written.  If you want to disable the error log entry, then issue the
 # following directive somewhere after the inclusion of the CRS
-# (E.g., RESPONSE-999-EXCEPTIONS.conf).
+# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf).
 #
 # SecRuleUpdateActionById 901150 "nolog"
 #
@@ -617,20 +617,49 @@ SecAction \
 #
 # To use geolocation, we make use of the MaxMind GeoIP database.
 # This database is not included with the CRS and must be downloaded.
-# You should also update the database regularly, for instance every month.
-# The CRS contains a tool to download it to util/geo-location/GeoIP.dat:
-#   util/upgrade.py --geoip
 #
-# This product includes GeoLite data created by MaxMind, available from:
+# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
-# http://www.maxmind.com.
+# and ModSecurity v3 uses GeoLite2 (.mmdb files).
+#
+# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files,
+# see https://github.com/maxmind/geoipupdate.
+#
+# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/
+# for configuration options.
+#
+# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore.
+# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info.
+#
+# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
+# from CSV files first.
+#
+# You can achieve this using https://github.com/sherpya/geolite2legacy
+# Pick the zip files from maxmind site:
+# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
+#
+# Follow the guidelines for installing the tool and run:
+# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \
+#                     -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat
+#
+# Update the database regularly, see Step 3 of the configuration link above.
+#
+# By default, when you execute `sudo geoipupdate` on Linux, files from the free database
+# will be downloaded to `/usr/share/GeoIP` (both v1 and v2).
+#
+# Then choose from:
+#   - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3)
+#   - `GeoLiteCountry.dat`    (if you are using ModSecurity v2)
 #
 # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
 # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
 #
-# Uncomment this rule to use this feature:
+# Uncomment only one of the next rules here to use this feature.
+# Choose the one depending on the ModSecurity version you are using, and change the path accordingly:
 #
-#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat
+# For ModSecurity v3:
+#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb
+# For ModSecurity v2 (points to the converted one):
+#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
 #
 # -=[ Block Countries ]=-
@@ -711,7 +740,7 @@ SecAction \
 # -- [[ Blocking Based on IP Reputation ]] ------------------------------------
 #
 # Blocking based on reputation is permanent in the CRS. Unlike other rules,
-# which look at the indvidual request, the blocking of IPs is based on
+# which look at the individual request, the blocking of IPs is based on
 # a persistent record in the IP collection, which remains active for a
 # certain amount of time.
 #
@@ -775,52 +804,6 @@ SecAction \
 SecCollectionTimeout 600
-#
-# -- [[ Debug Mode ]] ----------------------------------------------------------
-#
-# To enable rule development and debugging, CRS has an optional debug mode
-# that does not block a request, but instead sends detection information
-# back to the HTTP client.
-#
-# This functionality is currently only supported with the Apache web server.
-# The Apache mod_headers module is required.
-#
-# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
-# response headers whenever a debug client makes a request. Example:
-#
-#   # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
-#   X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
-#                TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
-#                TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
-#   X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
-#
-# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
-# This file resides in a separate folder, as it is not compatible with
-# nginx and IIS.
-#
-# You must specify the source IP address/network where you will be running the
-# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
-# response headers as specified above. Be careful to only list your private
-# IP addresses/networks here.
-#
-# Tip: for regression testing of CRS or your own ModSecurity rules, you may
-# be interested in using the OWASP CRS regression testing suite instead.
-# View the file util/regression-tests/README for more information.
-#
-# Uncomment these rules, filling in your CRS path and the source IP address,
-# to enable debug mode:
-#
-#Include /usr/share/modsecurity-crs/util/debug/RESPONSE-981-DEBUG.conf
-#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-# "id:900980,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  ctl:ruleEngine=DetectionOnly,\
-#  setvar:tx.crs_debug_mode=1"
 #
 # -- [[ End of setup ]] --------------------------------------------------------
 #
@@ -838,4 +821,4 @@ SecAction \
  nolog,\
  pass,\
  t:none,\
-  setvar:tx.crs_setup_version=310"
+  setvar:tx.crs_setup_version=330"
--- a/docker/conf/services.d/cleanup/run
+++ b/docker/conf/services.d/cleanup/run
+#!/bin/sh
+# Delete old temporary files (uploads etc).
+exec every 3600 find /opt/noblogs/tmp -type f \! -name "1000-*" -mtime +1 -delete
--- a/docker/conf/services.d/wpcron/run
+++ b/docker/conf/services.d/wpcron/run
+#!/bin/sh
+# Run WP-Cron periodically.
+# The "run-cron" execution takes a few minutes, so the actual period
+# comess out at something closer to 10 minutes.
+export BATCH_SIZE=300
+exec every 300 on-local-blogs run-cron >/dev/null
--- a/docker/wp
+++ b/docker/wp
+#!/bin/sh
+exec /usr/local/bin/wp-cli.phar --path=/opt/noblogs/www "$@"
No results found