Base image and Dependency Upgrades

Author: samuelwalters1

.drone.yml

@@ -14,7 +14,7 @@ steps:
   image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
   commands:
   - apk add curl bash wget tar
-  - n=0; while [ "$n" -lt 60 ] && [ ! docker stats --no-stream ]; do n=$(( n + 1 )); sleep 1; done
+  - /usr/local/bin/wait
   - ./ci-build.sh
   environment:
     GEOIP_ACCOUNT_ID:
@@ -27,17 +27,23 @@ steps:
     - push
     - tag
 
-- name: anchore_scan
-  image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
+- name: trivy_scan
+  image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
+  pull: always
   environment:
     IMAGE_NAME: ngx:latest
-    WHITELIST: CVE-2019-5827 # Red Hat won't fix - https://access.redhat.com/security/cve/cve-2019-5827
-  depends_on:
-    - build_and_test_image
+    LOCAL_IMAGE: true
+    ALLOW_CVE_LIST_FILE: whitelist
+    SEVERITY: HIGH,CRITICAL
+    # Prevent build failure due to self-signed cert private key detection.
+    # This is a non-production key generated at build time for testing.
+    FAIL_ON_DETECTION: false
   when:
     event:
     - push
     - pull_request
+  depends_on:
+    - build_and_test_image
 
 - name: push_image_to_artifactory
   image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
@@ -52,7 +58,7 @@ steps:
     DOCKER_REPO: artifactory-internal.digital.homeoffice.gov.uk
     DOCKER_USERNAME: docker-nginx-proxy-robot
   depends_on:
-    - build_and_test_image
+    - trivy_scan
   when:
     event:
     - tag
@@ -70,17 +76,11 @@ steps:
     DOCKER_REPO: quay.io
     DOCKER_USERNAME: ukhomeofficedigital+nginx_proxy
   depends_on:
-    - build_and_test_image
+    - trivy_scan
   when:
     event:
     - tag
 
 services:
 - name: docker
   image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
-
-- name: anchore-submission-server
-  image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
-  pull: always
-  commands:
-    - /run.sh server

Dockerfile

@@ -1,4 +1,9 @@
-FROM quay.io/ukhomeofficedigital/centos-base:latest
+FROM almalinux:9.5
+
+RUN dnf update -y && \
+    dnf autoremove -y && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
 
 ARG GEOIP_ACCOUNT_ID
 ARG GEOIP_LICENSE_KEY
@@ -7,17 +12,17 @@ WORKDIR /root
 ADD ./build.sh /root/
 RUN ./build.sh
 
-RUN yum install -y openssl && \
-    yum clean all && \
+RUN dnf install -y openssl && \
+    dnf clean all && \
     mkdir -p /etc/keys && \
     openssl req -x509 -newkey rsa:2048 -keyout /etc/keys/key -out /etc/keys/crt -days 360 -nodes -subj '/CN=test' && \
-    chmod 644 /etc/keys/key
+    chmod 600 /etc/keys/key
 
 # This takes a while so best to do it during build
 RUN openssl dhparam -out /usr/local/openresty/nginx/conf/dhparam.pem 2048
 
-RUN yum install -y bind-utils dnsmasq && \
-    yum clean all
+RUN dnf install -y bind-utils dnsmasq diffutils && \
+    dnf clean all
 
 ADD ./naxsi/location.rules /usr/local/openresty/naxsi/location.template
 ADD ./nginx*.conf /usr/local/openresty/nginx/conf/
@@ -35,14 +40,14 @@ ADD ./readyness.sh /
 ADD ./helper.sh /
 ADD ./refresh_geoip.sh /
 
-RUN yum remove -y kernel-headers && \
-    yum clean all
+RUN dnf remove -y kernel-headers && \
+    dnf clean all
 
 RUN useradd -u 1000 nginx && \
     install -o nginx -g nginx -d \
       /usr/local/openresty/naxsi/locations \
       /usr/local/openresty/nginx/{client_body,fastcgi,proxy,scgi,uwsgi}_temp && \
-    chown -R nginx:nginx /usr/local/openresty/nginx/{conf,logs} /usr/share/GeoIP
+    chown -R nginx:nginx /usr/local/openresty/nginx/{conf,logs} /usr/share/GeoIP /etc/keys
 
 WORKDIR /usr/local/openresty
 

build.sh

@@ -15,7 +15,7 @@ GEOIP_LICENSE_KEY="${GEOIP_LICENSE_KEY:-xxxxxx}"
 GEOIP_CITY_URL="https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${GEOIP_LICENSE_KEY}&suffix=tar.gz"
 GEOIP_COUNTRY_URL="https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${GEOIP_LICENSE_KEY}&suffix=tar.gz"
 GEOIP_MOD_URL='https://github.com/leev/ngx_http_geoip2_module/archive/3.3.tar.gz'
-GEOIP_UPDATE_CLI='https://github.com/maxmind/geoipupdate/releases/download/v4.7.1/geoipupdate_4.7.1_linux_amd64.tar.gz'
+GEOIP_UPDATE_CLI='https://github.com/maxmind/geoipupdate/releases/download/v7.1.0/geoipupdate_7.1.0_linux_amd64.tar.gz'
 GEOIP_URL='https://github.com/maxmind/libmaxminddb/releases/download/1.6.0/libmaxminddb-1.6.0.tar.gz'
 LUAROCKS_URL='https://luarocks.github.io/luarocks/releases/luarocks-3.7.0.tar.gz'
 NAXSI_URL='https://github.com/nbs-system/naxsi/archive/1.3.tar.gz'
@@ -25,7 +25,7 @@ STATSD_URL='https://github.com/UKHomeOffice/nginx-statsd/archive/0.0.1-ngxpatch.
 MAXMIND_PATH='/usr/share/GeoIP'
 
 # Install dependencies to build from source
-yum -y install \
+dnf -y install \
     gcc-c++ \
     gcc \
     git \
@@ -39,7 +39,8 @@ yum -y install \
     readline-devel \
     tar \
     unzip \
-    wget
+    wget \
+    zlib-devel
 
 mkdir -p openresty luarocks naxsi nginx-statsd geoip geoipupdate ngx_http_geoip2_module
 
@@ -107,10 +108,11 @@ popd
 echo "Installing luarocks packages"
 luarocks install uuid
 luarocks install luasocket
+luarocks install lua-resty-openssl
 
 echo "Removing unnecessary developer tooling"
 rm -fr openresty naxsi nginx-statsd geoip luarocks ngx_http_geoip2_module
-yum -y remove \
+dnf -y remove \
     gcc-c++ \
     gcc \
     git \
@@ -121,4 +123,4 @@ yum -y remove \
     pcre-devel \
     readline-devel
 
-yum clean all
+dnf clean all

ci-build.sh

@@ -122,11 +122,11 @@ start_test "Start with minimal settings" "${STD_CMD} \
            -e \"PROXY_SERVICE_PORT=443\""
 
 echo "Test it's up and working..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 echo "Test limited protcol and SSL cipher... "
-docker run --link ${INSTANCE}:${INSTANCE}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'AES256+EECDH' -tls1_2 -connect ${INSTANCE}:10443" &> /dev/null;
+docker run --link ${INSTANCE}:${INSTANCE} --rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -cipher 'AES256+EECDH' -tls1_2 -connect ${INSTANCE}:10443" &> /dev/null;
 echo "Test sslv2 not accepted...."
-if docker run --link ${INSTANCE}:${INSTANCE}--rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -ssl2 -connect ${INSTANCE}:10443" &> /dev/null; then
+if docker run --link ${INSTANCE}:${INSTANCE} --rm --entrypoint bash ngx -c "echo GET / | /usr/bin/openssl s_client -ssl2 -connect ${INSTANCE}:10443" &> /dev/null; then
   echo "FAIL SSL defaults settings allow ssl2 ......"
   exit 2
 fi
@@ -151,7 +151,7 @@ start_test "Test GEODB settings can reject..." "${STD_CMD} \
            -e \"ADD_NGINX_LOCATION_CFG=error_page 403 /nginx-proxy/50x.shtml;\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test GeoIP config IS rejected..."
-if ! curl -v -k -H "X-Forwarded-For: 1.1.1.1" https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \/ | grep '403 Forbidden' ; then
+if ! curl -v -k -H "X-Forwarded-For: 8.8.8.8" https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \/ | grep '403 Forbidden' ; then
   echo "We were expecting to be rejected with 403 error here - we are not in the Congo!"
   exit 2
 else
@@ -224,8 +224,7 @@ start_test "Start we auto add a protocol " "${STD_CMD} \
            -e \"PROXY_SERVICE_PORT=80\""
 
 echo "Test it works if we do not define the protocol.."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
-
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 
 start_test "Start with multi locations settings" "${STD_CMD} \
            -e \"LOCATIONS_CSV=/,/wiki/Wikipedia:About\" \
@@ -236,9 +235,9 @@ start_test "Start with multi locations settings" "${STD_CMD} \
 
 
 echo "Test for location 1 @ /..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 echo "Test for wikipedia about page..."
-wget -O /dev/null --quiet --no-check-certificate --header="Host: en.wikipedia.org" https://${DOCKER_HOST_NAME}:${PORT}/wiki/Wikipedia:About
+curl -sk -o /dev/null -H "Host: en.wikipedia.org" https://${DOCKER_HOST_NAME}:${PORT}/wiki/Wikipedia:About
 
 start_test "Start with Multiple locations, single proxy and NAXSI download." "${STD_CMD} \
            -e \"PROXY_SERVICE_HOST=https://en.wikipedia.org\" \
@@ -248,7 +247,7 @@ start_test "Start with Multiple locations, single proxy and NAXSI download." "${
            -e \"NAXSI_RULES_MD5_CSV_1=3b3c24ed61683ab33d8441857c315432\""
 
 echo "Test for all OK..."
-wget -O /dev/null --quiet --no-check-certificate --header="Host: en.wikipedia.org" https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null -H "Host: en.wikipedia.org" https://${DOCKER_HOST_NAME}:${PORT}/
 
 echo "Test client certs..."
 cd ./client_certs/
@@ -265,19 +264,20 @@ start_test "Start with Client CA, and single proxy. Block unauth for /standards"
            -e \"CLIENT_CERT_REQUIRED_2=TRUE\" "
 
 echo "Test access OK for basic area..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 
 echo "Test access denied for /standards/..."
-if wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/standards/ ; then
+if curl -sk -o /dev/null --fail https://${DOCKER_HOST_NAME}:${PORT}/standards/ ; then
     echo "Error - expecting auth fail!"
     exit 1
 else
     echo "Passed auth fail"
 fi
 echo "Test access OK for /standards/... with client cert..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/standards/ \
-     --certificate=./client_certs/client.crt \
-     --private-key=./client_certs/client.key
+curl -sk -o /dev/null \
+     --cert ./client_certs/client.crt \
+     --key ./client_certs/client.key \
+     https://${DOCKER_HOST_NAME}:${PORT}/standards/
 
 echo "Test upstream client certs..."
 docker build -t mutual-tls:latest ${WORKDIR} -f docker-config/Dockerfile.mutual-tls
@@ -301,7 +301,7 @@ start_test "Start with upstream client certs" \
            --link \"${MUTUAL_TLS}:${MUTUAL_TLS}\" "
 
 echo "Test it's up and working..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 tear_down_container "${MUTUAL_TLS}"
 
 echo "Test failure to verify upstream server cert..."
@@ -365,8 +365,8 @@ start_test "Start with Custom error pages redirect off" "${STD_CMD} \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test All ok..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/api/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/api/
 if curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/api/dead | grep "Oh dear" ; then
     echo "Passed return text on error with ERROR_REDIRECT_CODES"
 else
@@ -431,7 +431,7 @@ start_test "Start with listen for port 80" "${STD_CMD} \
            -e \"HTTPS_REDIRECT_PORT=${PORT}\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test Redirect ok..."
-wget -O /dev/null --quiet --no-check-certificate http://${DOCKER_HOST_NAME}:8888/
+curl -s -o /dev/null http://${DOCKER_HOST_NAME}:8888/
 
 
 start_test "Test text logging format..." "${STD_CMD} \
@@ -442,7 +442,7 @@ start_test "Test text logging format..." "${STD_CMD} \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test request (with logging as text)..."
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 echo "Testing text logs format..."
 docker logs ${INSTANCE} | grep "\"GET / HTTP/1.1\" 200"
 
@@ -453,7 +453,7 @@ start_test "Test json logging format..." "${STD_CMD} \
            -e \"LOG_FORMAT_NAME=json\" \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}?animal=cow
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}?animal=cow
 echo "Testing json logs format..."
 docker logs ${INSTANCE}  | grep '{"proxy_proto_address":'
 docker logs ${INSTANCE}  | grep 'animal=cow'
@@ -467,7 +467,7 @@ start_test "Test param logging off option works..." "${STD_CMD} \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            -e \"NO_LOGGING_URL_PARAMS=TRUE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}?animal=cow
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}?animal=cow
 echo "Testing no logging of url params option works..."
 docker logs ${INSTANCE} 2>/dev/null | grep '{"proxy_proto_address":'
 docker logs ${INSTANCE} 2>/dev/null | grep 'animal=cow' | wc -l | grep 0
@@ -479,7 +479,7 @@ start_test "Test ENABLE_WEB_SOCKETS..." "${STD_CMD} \
            -e \"ENABLE_WEB_SOCKETS=TRUE\" \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
-wget -O /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/
+curl -sk -o /dev/null https://${DOCKER_HOST_NAME}:${PORT}/
 
 start_test "Test ADD_NGINX_LOCATION_CFG param..." "${STD_CMD} \
            -e \"PROXY_SERVICE_HOST=http://${MOCKSERVER}\" \
@@ -490,7 +490,7 @@ start_test "Test ADD_NGINX_LOCATION_CFG param..." "${STD_CMD} \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 echo "Test extra param works"
-wget  -O - -o /dev/null --quiet --no-check-certificate https://${DOCKER_HOST_NAME}:${PORT}/wow | grep "NICE"
+curl -sk https://${DOCKER_HOST_NAME}:${PORT}/wow | grep "NICE"
 
 
 start_test "Test UUID GET param logging option works..." "${STD_CMD} \
@@ -523,7 +523,7 @@ start_test "Test UUID header logging option works..." "${STD_CMD} \
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 curl -sk https://${DOCKER_HOST_NAME}:${PORT}
 echo "Testing no logging of url params option works..."
-docker logs "${MOCKSERVER}" | grep 'Nginxid:'
+docker logs "${MOCKSERVER}" | grep 'nginxid->'
 docker logs ${INSTANCE} | grep '"nginx_uuid": "'
 
 start_test "Test UUID header logging option passes through supplied value..." "${STD_CMD} \
@@ -534,7 +534,7 @@ start_test "Test UUID header logging option passes through supplied value..." "$
            --link \"${MOCKSERVER}:${MOCKSERVER}\" "
 curl -sk -H "nginxId: 00000000-1111-2222-3333-444455556666" https://${DOCKER_HOST_NAME}:${PORT}
 echo "Testing no logging of url params option works..."
-docker logs "${MOCKSERVER}" | grep 'Nginxid:00000000-1111-2222-3333-444455556666'
+docker logs "${MOCKSERVER}" | grep 'nginxid->00000000-1111-2222-3333-444455556666'
 docker logs ${INSTANCE} | grep '"nginx_uuid": "00000000-1111-2222-3333-444455556666"'
 
 start_test "Test VERBOSE_ERROR_PAGES=TRUE displays debug info" "${STD_CMD} \

docker-config/Dockerfile.mockserver

@@ -1,3 +1,3 @@
-FROM quii/mockingjay-server:1.9.0
+FROM quii/mockingjay-server:1.12.0
 
 COPY test-servers.yaml /test-servers.yaml

docker-config/Dockerfile.slowmockserver

@@ -1,4 +1,4 @@
-FROM quii/mockingjay-server:1.9.0
+FROM quii/mockingjay-server:1.12.0
 
 COPY test-servers.yaml /test-servers.yaml
 COPY monkey-business.yaml /monkey-business.yaml

lua/set_uuid.lua

@@ -3,12 +3,17 @@ if os.getenv("LOG_UUID") == "FALSE" then
 else
     local uuid_str = ""
     if ngx.req.get_headers()["nginxId"] == nil then
-        local socket = require("socket")
         local uuid = require("uuid")
-        uuid.randomseed(socket.gettime()*10000)
+        local unpack = unpack or table.unpack
+
+        uuid.set_rng(function()
+            local random_bytes = require("resty.openssl.rand").bytes(16)
+            return random_bytes
+        end)
+
         uuid_str = uuid()
     else
-	uuid_str = ngx.req.get_headers()["nginxId"]
+        uuid_str = ngx.req.get_headers()["nginxId"]
     end
     ngx.var.uuid = uuid_str
     ngx.var.uuid_log_opt = " nginxId=" .. uuid_str

publish.sh

@@ -47,4 +47,4 @@ tag_n_push() {
 tag_n_push "${PATCH}"
 tag_n_push "${MINOR}"
 tag_n_push "${MAJOR}"
-tag_n_push "latest"
+#tag_n_push "latest"

whitelist

@@ -0,0 +1 @@
+