From 2922594a8f492c7b1bd58d2f341c3683ed22c217 Mon Sep 17 00:00:00 2001 From: Paul Fernihough Date: Mon, 31 Aug 2020 19:25:12 +0100 Subject: [PATCH] Added sensible security defaults to apache images - 403 response for hidden files/dirs and common backup/source file types --- apache-extras.template | 10 +++++++++- php7.2/apache/Dockerfile | 10 +++++++++- php7.3/apache/Dockerfile | 10 +++++++++- php7.4/apache/Dockerfile | 10 +++++++++- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/apache-extras.template b/apache-extras.template index 9903a738d2..513e099bbe 100644 --- a/apache-extras.template +++ b/apache-extras.template @@ -15,4 +15,12 @@ RUN set -eux; \ a2enconf remoteip; \ # https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512 # (replace all instances of "%h" with "%a" in LogFormat) - find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' + + find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \ +# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes + { \ + echo 'RedirectMatch 403 /\..*$'; \ + echo ''; \ + echo 'Require all denied'; \ + echo ''; \ + } > /etc/apache2/conf-available/forbidden.conf; \ + a2enconf forbidden diff --git a/php7.2/apache/Dockerfile b/php7.2/apache/Dockerfile index 1666292c1d..225836c6fb 100644 --- a/php7.2/apache/Dockerfile +++ b/php7.2/apache/Dockerfile @@ -90,7 +90,15 @@ RUN set -eux; \ a2enconf remoteip; \ # https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512 # (replace all instances of "%h" with "%a" in LogFormat) - find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' + + find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \ +# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes + { \ + echo 'RedirectMatch 403 /\..*$'; \ + echo ''; \ + echo 'Require all denied'; \ + echo ''; \ + } > /etc/apache2/conf-available/forbidden.conf; \ + a2enconf forbidden ENV WORDPRESS_VERSION 5.5 diff --git a/php7.3/apache/Dockerfile b/php7.3/apache/Dockerfile index 3681298c31..ccddf5c8ed 100644 --- a/php7.3/apache/Dockerfile +++ b/php7.3/apache/Dockerfile @@ -91,7 +91,15 @@ RUN set -eux; \ a2enconf remoteip; \ # https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512 # (replace all instances of "%h" with "%a" in LogFormat) - find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' + + find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \ +# apply some sensible security defaults: 403 hidden files/dirs + common backup/source filetypes + { \ + echo 'RedirectMatch 403 /\..*$'; \ + echo ''; \ + echo 'Require all denied'; \ + echo ''; \ + } > /etc/apache2/conf-available/forbidden.conf; \ + a2enconf forbidden ENV WORDPRESS_VERSION 5.5 diff --git a/php7.4/apache/Dockerfile b/php7.4/apache/Dockerfile index a53bac71fb..0199e1eddf 100644 --- a/php7.4/apache/Dockerfile +++ b/php7.4/apache/Dockerfile @@ -91,7 +91,15 @@ RUN set -eux; \ a2enconf remoteip; \ # https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512 # (replace all instances of "%h" with "%a" in LogFormat) - find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' + + find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \ +# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes + { \ + echo 'RedirectMatch 403 /\..*$'; \ + echo ''; \ + echo 'Require all denied'; \ + echo ''; \ + } > /etc/apache2/conf-available/forbidden.conf; \ + a2enconf forbidden ENV WORDPRESS_VERSION 5.5