diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 7888a772e2a..54f4e1599b8 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -1,11 +1,13 @@ { stdenv, fetchurl, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt, expat , gd, geoip, luajit +, curl, apr, aprutil, apacheHttpd, yajl, libcap, modsecurity_standalone , rtmp ? false , fullWebDAV ? false , syslog ? false , moreheaders ? false , echo ? false -, ngx_lua ? false +, modsecurity ? false +, ngx_lua ? modsecurity || false , set_misc ? false , fluent ? false , extraModules ? [] @@ -48,6 +50,8 @@ let sha256 = "01wkqhk8mk8jgmzi7jbzmg5kamffx3lmhj5yfwryvnvs6xqs74wn"; }; + modsecurity-ext = modsecurity_standalone.nginx; + echo-ext = fetchFromGitHub { owner = "openresty"; repo = "echo-nginx-module"; @@ -93,7 +97,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl zlib pcre libxml2 libxslt gd geoip ] ++ optional fullWebDAV expat - ++ optional ngx_lua luajit; + ++ optional ngx_lua luajit + ++ optionals modsecurity [ curl apr aprutil apacheHttpd yajl ]; LUAJIT_LIB = if ngx_lua then "${luajit}/lib" else ""; LUAJIT_INC = if ngx_lua then "${luajit}/include/luajit-2.0" else ""; @@ -132,14 +137,17 @@ stdenv.mkDerivation rec { ++ optional echo "--add-module=${echo-ext}" ++ optional ngx_lua "--add-module=${develkit-ext} --add-module=${lua-ext}" ++ optional set_misc "--add-module=${set-misc-ext}" - ++ optionals (elem stdenv.system (with platforms; linux ++ freebsd)) + ++ optionals (elem stdenv.system (with platforms; linux ++ freebsd)) [ "--with-file-aio" "--with-aio_module" ] ++ optional fluent "--add-module=${fluentd}" + ++ optional modsecurity "--add-module=${modsecurity-ext}/nginx/modsecurity" ++ (map (m: "--add-module=${m}") extraModules); additionalFlags = optionalString stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; + NIX_CFLAGS_COMPILE = optionalString modsecurity "-I${aprutil}/include/apr-1 -I${apacheHttpd}/include -I${apr}/include/apr-1 -I${yajl}/include"; + preConfigure = '' export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -I${libxml2}/include/libxml2 $additionalFlags" ''; diff --git a/pkgs/tools/security/modsecurity/default.nix b/pkgs/tools/security/modsecurity/default.nix new file mode 100644 index 00000000000..5ed6c9ecdc4 --- /dev/null +++ b/pkgs/tools/security/modsecurity/default.nix @@ -0,0 +1,45 @@ +{ stdenv, lib, fetchurl +, curl, apacheHttpd, pcre, apr, aprutil, libxml2 }: + +with lib; + +stdenv.mkDerivation rec { + name = "modsecurity-${version}"; + version = "2.9.0"; + + src = fetchurl { + url = "https://www.modsecurity.org/tarball/${version}/${name}.tar.gz"; + sha256 = "e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434"; + }; + + buildInputs = [ curl apacheHttpd pcre apr aprutil libxml2 ]; + configureFlags = [ + "--enable-standalone-module" + "--enable-static" + "--with-curl=${curl}" + "--with-apxs=${apacheHttpd}/bin/apxs" + "--with-pcre=${pcre}" + "--with-apr=${apr}" + "--with-apu=${aprutil}/bin/apu-1-config" + "--with-libxml=${libxml2}" + ]; + + outputs = ["out" "nginx"]; + + preBuild = '' + substituteInPlace apache2/Makefile.in --replace "install -D " "# install -D" + ''; + + postInstall = '' + mkdir -p $nginx + cp -R * $nginx + ''; + + meta = { + description = "Open source, cross-platform web application firewall (WAF)"; + license = licenses.asl20; + homepage = https://www.modsecurity.org/; + maintainers = with maintainers; [offline]; + platforms = with platforms; linux; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2dc97040d5e..a9137e0dc93 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2227,6 +2227,8 @@ let modemmanager = callPackage ../tools/networking/modemmanager {}; + modsecurity_standalone = callPackage ../tools/security/modsecurity { }; + monit = callPackage ../tools/system/monit { }; moreutils = callPackage ../tools/misc/moreutils {