From 9191854ba68362f5fe17f62d5d5df75fa2023366 Mon Sep 17 00:00:00 2001 From: Kentaro Hayashi Date: Mon, 4 Jan 2021 15:29:01 +0900 Subject: [PATCH 1/2] rpm: add openresty-modsecurity 3.0.4 This spec is based on EPEL7 https://dl.fedoraproject.org/pub/epel/7/SRPMS/Packages/l/libmodsecurity-3.0.2-6.el7.src.rpm Signed-off-by: Kentaro Hayashi --- rpm/SOURCES/modsecurity.pc | 10 ++ rpm/SPECS/openresty-modsecurity.spec | 153 +++++++++++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 rpm/SOURCES/modsecurity.pc create mode 100644 rpm/SPECS/openresty-modsecurity.spec diff --git a/rpm/SOURCES/modsecurity.pc b/rpm/SOURCES/modsecurity.pc new file mode 100644 index 000000000..bd96f7217 --- /dev/null +++ b/rpm/SOURCES/modsecurity.pc @@ -0,0 +1,10 @@ +prefix=/usr/local/openresty/modsecurity +exec_prefix=${prefix} +libdir=@libdir@ +includedir=${prefix}/include + +Name: ModSecurity +Description: ModSecurity API +Version: 3.0.4 +Cflags: -I${prefix}/include +Libs: -L@libdir@ -lmodsecurity diff --git a/rpm/SPECS/openresty-modsecurity.spec b/rpm/SPECS/openresty-modsecurity.spec new file mode 100644 index 000000000..8e1af86db --- /dev/null +++ b/rpm/SPECS/openresty-modsecurity.spec @@ -0,0 +1,153 @@ +Name: openresty-modsecurity +Version: 3.0.4 +Release: 1%{?dist} +Summary: A library that loads/interprets rules written in the ModSecurity SecRules + +License: ASL 2.0 +URL: https://www.modsecurity.org/ + +Source0: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz + +# Back-port of the pkg-config file expected in the 3.0.3 release +Source1: modsecurity.pc + +# Drop needless patch for 3.0.4 +#Patch0: ModSecurity_cookie_parsing_fix_303.patch + +BuildRequires: gcc-c++ +BuildRequires: make +BuildRequires: flex +BuildRequires: bison +BuildRequires: git-core +BuildRequires: ssdeep-devel +BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(yajl) +# Disable curl explicitly because of undefined reference with EVP_KDF_xxx +# It is defined in libssh system library. +#BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(geoip) +BuildRequires: pkgconfig(libpcre) +BuildRequires: pkgconfig(lmdb) + +# libinjection is supposed to be bundled (same as with mod_security 2.x) +# See: https://github.com/client9/libinjection#embedding +Provides: bundled(libinjection) = 3.9.2 + +%define orprefix %{_usr}/local/openresty +%define zlib_prefix %{orprefix}/zlib +%define pcre_prefix %{orprefix}/pcre +%define openssl_prefix %{orprefix}/openssl111 +%define modsecurity_prefix %{orprefix}/modsecurity + +%description +Libmodsecurity is one component of the ModSecurity v3 project. +The library codebase serves as an interface to ModSecurity Connectors +taking in web traffic and applying traditional ModSecurity processing. +In general, it provides the capability to load/interpret rules written +in the ModSecurity SecRules format and apply them to HTTP content provided +by your application via Connectors. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package static +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description static +The %{name}-static package contains static libraries for developing +applications that use %{name}. + + + +%prep +%autosetup -n modsecurity-v%{version} -S git + + +%build +export LD_LIBRARY_PATH=%{zlib_prefix}/lib:%{pcre_prefix}/lib:%{openssl_prefix}/lib +%configure --prefix=%{modsecurity_prefix} \ + --bindir=%{modsecurity_prefix}/bin \ + --libdir=%{modsecurity_prefix}/lib \ + --includedir=%{modsecurity_prefix}/include \ + --with-curl=no \ + --with-lmdb +%make_build + + +%install +%make_install + +# see Source1 above +mkdir -p %{buildroot}%{modsecurity_prefix}/lib/pkgconfig +sed s:@libdir@:%{modsecurity_prefix}/lib: <%{S:1} >%{buildroot}%{modsecurity_prefix}/lib/pkgconfig/modsecurity.pc + + + +%files +%doc README.md AUTHORS +%{modsecurity_prefix}/lib/*.so.* +%{modsecurity_prefix}/bin/* +%license LICENSE + +%files devel +%doc README.md AUTHORS +%{modsecurity_prefix}/include/* +%{modsecurity_prefix}/lib/*.so +%{modsecurity_prefix}/lib/pkgconfig +%license LICENSE + +%files static +%{modsecurity_prefix}/lib/*.a +%{modsecurity_prefix}/lib/*.la + + +%changelog +* Wed Jan 6 2021 Kentaro Hayashi - 3.0.4-1 +- Update to 3.0.4. + +* Sat Mar 21 2020 Othman Madjoudj - 3.0.2-6 +- Fix DoS vulnerability (CVE-2019-19886, RHBZ #1801720 / #1801719) + +* Fri Feb 01 2019 Fedora Release Engineering - 3.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Oct 19 2018 Dridi Boukelmoune - 3.0.2-4 +- Back-port of modsecurity.pc + +* Fri Jul 13 2018 Fedora Release Engineering - 3.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sun Apr 29 2018 Athmane Madjoudj - 3.0.2-2 +- Rebuild after PR#1 + +* Sat Apr 14 2018 Athmane Madjoudj - 3.0.2-1 +- Update to 3.0.2 (rhbz #1563219) + +* Wed Feb 07 2018 Fedora Release Engineering - 3.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Jan 21 2018 Athmane Madjoudj - 3.0.0-1 +- Update to 3.0.0 final release +- Drop upstreamed patch +- Add some new BRs + +* Sun Oct 22 2017 Athmane Madjoudj - 3.0.0-0.2.rc1 +- Add a patch to fix the build on non-x86 arch + +* Fri Sep 01 2017 Athmane Madjoudj - 3.0.0-0.1.rc1 +- Fix release tag + +* Wed Aug 30 2017 Athmane Madjoudj - 3.0.0-0.rc1 +- Update to RC1 +- Fix some spec issues + +* Mon Feb 22 2016 Athmane Madjoudj 3.0-0.git +- Initial release + From df354eb857d6b1d6dc8634bb785d674a74f4e281 Mon Sep 17 00:00:00 2001 From: Kentaro Hayashi Date: Mon, 4 Jan 2021 14:03:26 +0900 Subject: [PATCH 2/2] rpm: support ModSecurity nginx Signed-off-by: Kentaro Hayashi --- rpm/SPECS/openresty.spec | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/rpm/SPECS/openresty.spec b/rpm/SPECS/openresty.spec index 8a9c7fde1..5cd505219 100644 --- a/rpm/SPECS/openresty.spec +++ b/rpm/SPECS/openresty.spec @@ -16,8 +16,11 @@ Source0: https://openresty.org/download/openresty-%{version}.tar.gz %define use_systemd 1 %endif +%define modsecurity_nginx_version v1.0.1 + Source1: openresty.service Source2: openresty.init +Source3: https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/%{modsecurity_nginx_version}/modsecurity-nginx-%{modsecurity_nginx_version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -26,6 +29,9 @@ BuildRequires: ccache, gcc, make, perl, systemtap-sdt-devel BuildRequires: openresty-zlib-devel >= 1.2.11-3 BuildRequires: openresty-openssl111-devel >= 1.1.1h-1 BuildRequires: openresty-pcre-devel >= 8.44-1 +%if 0%{?centos} >= 7 +BuildRequires: openresty-modsecurity-devel +%endif Requires: openresty-zlib >= 1.2.11-3 Requires: openresty-openssl111 >= 1.1.1h-1 Requires: openresty-pcre >= 8.44-1 @@ -62,6 +68,7 @@ AutoReqProv: no %define zlib_prefix %{orprefix}/zlib %define pcre_prefix %{orprefix}/pcre %define openssl_prefix %{orprefix}/openssl111 +%define modsecurity_prefix %{orprefix}/modsecurity %description @@ -96,6 +103,7 @@ a single box. mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openresty-%{version}"; \ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \ + mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/modsecurity-nginx-%{modsecurity_nginx_version}"; %{nil} %endif @@ -122,7 +130,6 @@ Requires: perl(File::Spec), perl(FindBin), perl(List::Util), perl(Getopt:: BuildArch: noarch %endif - %description resty This package contains the "resty" command-line utility for OpenResty, which runs OpenResty Lua scripts on the terminal using a headless NGINX behind the @@ -187,15 +194,19 @@ This package provides the client side tool, opm, for OpenResty Pakcage Manager ( %prep +tar xf %{SOURCE3} %setup -q -n "openresty-%{version}" %build +export MODSECURITY_INC=%{modsecurity_prefix}/include +export MODSECURITY_LIB=%{modsecurity_prefix}/lib +export YAJL_LIB=%{_libdir} ./configure \ --prefix="%{orprefix}" \ --with-cc='ccache gcc -fdiagnostics-color=always' \ - --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -I%{zlib_prefix}/include -I%{pcre_prefix}/include -I%{openssl_prefix}/include" \ - --with-ld-opt="-L%{zlib_prefix}/lib -L%{pcre_prefix}/lib -L%{openssl_prefix}/lib -Wl,-rpath,%{zlib_prefix}/lib:%{pcre_prefix}/lib:%{openssl_prefix}/lib" \ + --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -I%{zlib_prefix}/include -I%{pcre_prefix}/include -I%{openssl_prefix}/include -I%{modsecurity_prefix}/include -I%{_includedir}" \ + --with-ld-opt="-L%{zlib_prefix}/lib -L%{pcre_prefix}/lib -L%{openssl_prefix}/lib -L%{modsecurity_prefix}/lib -Wl,-rpath,%{zlib_prefix}/lib:%{pcre_prefix}/lib:%{openssl_prefix}/lib:%{modsecurity_prefix}/lib -L%{_libdir}" \ --with-pcre-jit \ --without-http_rds_json_module \ --without-http_rds_csv_module \ @@ -222,6 +233,7 @@ This package provides the client side tool, opm, for OpenResty Pakcage Manager ( --with-threads \ --with-compat \ --with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT' \ + --add-module=../modsecurity-nginx-%{modsecurity_nginx_version} \ %{?_smp_mflags} make %{?_smp_mflags}