aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorW. Kosior <koszko@koszko.org>2025-02-11 13:16:56 +0100
committerW. Kosior <koszko@koszko.org>2025-02-17 14:18:58 +0100
commit4b32e0bf9b1339a9c82300fb992ce2cafa2dda0f (patch)
treeb352d612562df523662d5d6e161cd6ef7f8ad3b1
parent005639678c1f229c2800294af6fb208f02ccb18d (diff)
downloadguix-4b32e0bf9b1339a9c82300fb992ce2cafa2dda0f.tar.gz
guix-4b32e0bf9b1339a9c82300fb992ce2cafa2dda0f.zip
gnu modsecurity: Add ModSecurity Web Application Firewall.
This commit adds the "httpd-modsecurity" package with ModSecurity2. It comes in 2 variants: one using older pcre with tests enabled and one with pcre2 but non-working tests. The latter is exported from the module. There's also a definition for "libmodsecurity" package containing the library part of ModSecurity3. No http server-specific connectors for it are packaged in this commit, though. * gnu/local.mk (GNU_SYSTEM_MODULES): Add `modsecurity.scm'. * gnu/packages/modsecurity.scm: New file. Change-Id: Ida54a64c52383ff217be067322f3d1c6ea4da020
Diffstat
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/modsecurity.scm168
2 files changed, 169 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 018dd2d62b..9dadec9cf3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -484,6 +484,7 @@ GNU_SYSTEM_MODULES = \
%D%/packages/minetest.scm \
%D%/packages/mingw.scm \
%D%/packages/microcom.scm \
+ %D%/packages/modsecurity.scm \
%D%/packages/moe.scm \
%D%/packages/mold.scm \
%D%/packages/motti.scm \
diff --git a/gnu/packages/modsecurity.scm b/gnu/packages/modsecurity.scm
new file mode 100644
index 0000000000..164c054799
--- /dev/null
+++ b/gnu/packages/modsecurity.scm
@@ -0,0 +1,168 @@
+;;; Copyright © 2025 Wojtek Kosior <koszko@koszko.org>
+;;; Licensed under the Creative Commons Zero v1.0.
+
+(define-module (gnu packages modsecurity)
+ #:use-module ((gnu packages apr) #:select (apr apr-util))
+ #:use-module ((gnu packages autotools) #:select (autoconf automake libtool))
+ #:use-module ((gnu packages bison) #:select (bison))
+ #:use-module ((gnu packages curl) #:select (curl))
+ #:use-module ((gnu packages databases) #:select (lmdb))
+ #:use-module ((gnu packages datastructures) #:select (ssdeep))
+ #:use-module ((gnu packages documentation) #:select (doxygen))
+ #:use-module ((gnu packages flex) #:select (flex))
+ #:use-module ((gnu packages geo) #:select (libmaxminddb))
+ #:use-module ((gnu packages lua) #:select (lua))
+ #:use-module ((gnu packages pcre) #:select (pcre pcre2))
+ #:use-module ((gnu packages perl) #:select (perl))
+ #:use-module ((gnu packages pkg-config) #:select (pkg-config))
+ #:use-module ((gnu packages xml) #:select (libxml2))
+ #:use-module ((gnu packages valgrind) #:select (valgrind))
+ #:use-module ((gnu packages web) #:select (httpd yajl))
+ #:use-module ((guix build-system gnu) #:select (gnu-build-system))
+ #:use-module ((guix gexp) #:select (gexp file-append))
+ #:use-module ((guix git-download) #:select
+ (git-fetch git-file-name git-reference))
+ #:use-module ((guix licenses) #:select (asl2.0 bsd-3))
+ #:use-module ((guix packages) #:select
+ (base32 delete modify-inputs origin package package-arguments
+ package-inputs replace))
+ #:use-module ((guix utils) #:select (substitute-keyword-arguments)))
+
+
+
+(define-public libmodsecurity
+ (package
+ (name "libmodsecurity")
+ (version "3.0.13")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/owasp-modsecurity/ModSecurity")
+ (commit (format #f "v~a" version))
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256 (base32
+ "0khzm7wfd34w3zdhinq8z46c21pwcczb5jvg2j0b0d1v9nvzaggv"))))
+ (build-system gnu-build-system)
+ (arguments (list
+ #:configure-flags
+ #~(cons* "--with-pcre2"
+ (map (lambda (name)
+ (format #f "--with-~a=~a" name
+ (assoc-ref %build-inputs name)))
+ '("curl" "lmdb" "ssdeep")))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'patch-source-shebangs 'patch-prog-paths-in-tests
+ (lambda _
+ (let* ((PATH (string-split (getenv "PATH") #\:))
+ (/bin/echo (search-path PATH "echo"))
+ (/bin/ech (string-drop-right /bin/echo 1))
+ (regression "test/test-cases/regression"))
+ (for-each
+ (lambda (test)
+ (substitute*
+ (format #f "test/test-cases/regression/~a.json"
+ test)
+ (("/bin/ech") /bin/ech)))
+ '("action-exec" "operator-inpectFile")))))
+ (add-before 'configure 'fix-ssdeep-searching
+ (lambda _
+ (substitute* "build/ssdeep.m4"
+ (("\\[Path to ssdeep prefix\\]\\)\\]" matched)
+ (string-append
+ matched
+ ",[SSDEEP_POSSIBLE_PATHS=\"${with_ssdeep}\";"
+ " with_ssdeep=yes]"))))))))
+ (inputs (list curl libmaxminddb libxml2 lmdb lua pcre2 ssdeep yajl))
+ (native-inputs (list autoconf
+ automake
+ bison
+ doxygen
+ libtool
+ flex
+ perl
+ pkg-config
+ valgrind))
+ (synopsis "Free software web application firewall (WAF) library")
+ (description "Libmodsecurity is one component of the ModSecurity v3 project.
+The library codebase serves as an interface to ModSecurity Connectors taking in
+web traffic and applying traditional ModSecurity processing.")
+ (home-page "https://modsecurity.org/")
+ (license (list asl2.0 ;; libmodsecurity, Mbed TLS
+ bsd-3)))) ;; libinjection
+
+(define httpd-modsecurity-with-older-pcre
+ (package
+ (name "httpd-modsecurity")
+ (version "2.9.8")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/owasp-modsecurity/ModSecurity")
+ (commit (format #f "v~a" version))))
+ (file-name (git-file-name name version))
+ (sha256 (base32
+ "04mjmc0kp3k56lvi4s8vmksiqsamspsj5cqbk14bkr36xrw5g7kw"))))
+ (build-system gnu-build-system)
+ (arguments (list
+ #:configure-flags
+ #~(let ((inputs `(("apu" . ,(assoc-ref %build-inputs "apr-util"))
+ ("apxs" . ,(assoc-ref %build-inputs "httpd"))
+ . ,%build-inputs)))
+ (map (lambda (name)
+ (format #f "--with-~a=~a"
+ name (assoc-ref inputs name)))
+ '("apr" "apu" "apxs" "curl" "pcre" "ssdeep")))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'supply-id_log-for-test-linking
+ (lambda _
+ (let ((port (open-file "tests/msc_test.c" "a")))
+ ;; True `id_log' is in `apache2/apache2_config.c' which
+ ;; isn't and cannot (easily) be linked with the test.
+ (format port "const char* id_log(msre_rule* _) ~
+ {return \"DUMMY\";}")
+ (close port))))
+ (add-after 'unpack 'fix-module-installation-prefix
+ (lambda _
+ (substitute* "apache2/Makefile.am"
+ (("(\\$.DESTDIR.)(\\$.APXS_MODULES.)" _ dst apxs_mods)
+ (format #f "~a$(prefix)~a" dst apxs_mods)))))
+ (add-after 'install-license-files 'install-NOTICE-file
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (package (strip-store-file-name out)))
+ (install-file "NOTICE" (format #f "~a/share/doc/~a"
+ out package))))))))
+ (inputs (list apr
+ apr-util
+ curl
+ httpd
+ libxml2
+ lua
+ (list pcre "bin")
+ ssdeep
+ yajl))
+ (native-inputs (list autoconf automake httpd libtool perl pkg-config))
+ (synopsis "Free software web application firewall (WAF) module")
+ (description "ModSecurity enables web application defenders to gain
+visibility into HTTP(S) and provides a power rules language and API to implement
+advanced protections.")
+ (home-page "https://modsecurity.org/")
+ (license (list asl2.0))))
+
+(define-public httpd-modsecurity
+ (let ((base httpd-modsecurity-with-older-pcre))
+ (package
+ (inherit base)
+ (arguments (substitute-keyword-arguments (package-arguments base)
+ ;; Sadly, tests don't seem to work with PRCE2.
+ ((#:tests? _ #f) #f)
+ ((#:configure-flags flags)
+ #~(cons (format #f "--with-pcre2=~a"
+ (assoc-ref %build-inputs "pcre2"))
+ #$flags))))
+ (inputs (modify-inputs (package-inputs base)
+ (delete "pcre")
+ (append pcre2))))))
generated by cgit