Docker Image for Apache HTTP Server that already includes the security files based on information from securitytxt.org. It's based on httpd, so most of the credits do not go to me. I just added a basic security.txt to the .well-known folder. This file also links to a few files that are placed in the .well-known/security folder.
To implement the security standard, the following files are added
This is the main entry point and is bound by some specs. The contents of the file will look like this:
Contact: mail: please contact the webmaster
Preferred-Languages: en
Acknowledgments: /.well-known/security/hall-of-fame.txt
Encryption: .well-known/security/encryption.txt
Policy: /.well-known/security/policy.txt
Hiring: /.well-known/security/hiring.txt
The hall of fame text file only contains one sentence, basically stating nothing to see here:
Since there has been no security reports yet, there is no one to mention on this page.
The encryption text file only contains one sentence, basically stating to ignore encryption:
You can contact me directly via mail, There is no need for additional encryption
The policy text file only contains one sentence, basically stating nothing to see here:
There is no real policy here, I just would appreciate it if you do not attack me and just notify me of the (potential) security leak, so I can fix it as quickly as possible.
The hiring text file only contains one sentence, basically stating nothing to see here:
I'm not hiring anyone, this is just a hobby project :)
All the security checks will be done by scout.docker.com. The last security check has been performed on 18-04-2024. During this test, there were one high and/or medium risks found. Those are not yet fixed because there is no fix available yet.
| Id | CVSS Risk | CVSS SCORE | Summary |
|---|---|---|---|
| CVE-2023-52425 | High | 7.5 | Libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
| CVE-2024-2236 | Medium | 5.9 | A timing-based side-channel flaw was found in libgcrypt's RSA implementation. |
| CVE-2024-28182 | Medium | 5.3 | The nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. |
In total, there are 19 low-risk issues that are not further addressed yet.
The files that are deployed are in essence good enough so that they do not have to be changed. All the links are relative, and the contact information states that the webmaster email could be used. It's however advised to change them anyway so that you have the correct information and maybe even more information than the basics.
See timotielens.nl/.well-known/security.txt as an example.
See the example docker-compose file that can be used to host this container:
version: '3.9'
services:
webserver:
image: timotielens/http-security:latest
ports:
- '8080:80'
volumes:
- ./website:/usr/local/apache2/htdocs
- ./security:/usr/local/apache2/htdocs/.well-known
This compose file will deploy the container that can be accessed via port 8080. There are two volume mappings. The first mapping can be used to access the folder that will be used to deploy the web server files to. The second folder is the one that should be used to modify the security files so that they are custom-made for your liking.
If you would like to build this container from scratch you can use the following steps:
- Clone this repo locally and open a console in the root folder
- Run the following command to build the container docker build --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') -build-arg BUILD_NAME=timotielens/http-security -build-arg BUILD_DESCRIPTION="Docker Image for Apache HTTP Server that already includes the security files" -t timotielens/http-security:2.4.59 .
- You can now run the following command to have it running locally. docker run -p 8080:80 timotielens/http-security:latest
- If you want to push it for some reason to hub.docker.com you first need to make sure that you're logged in, by running Run docker login -u timotielens. Once you're logged in you can push the container by running docker push timotielens/http-security:2.4.59