@@ -172,10 +172,16 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
172172 --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
173173 --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \
174174 --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \
175- --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/etc/apt/sources.list.d /app-protect.sources \
176- --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d /app-protect-dos.sources \
175+ --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp /app-protect.sources \
176+ --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp /app-protect-dos.sources \
177177 # # the code below is duplicated from the debian-plus image because NAP doesn't support debian 12
178- apt-get update \
178+ if [ -z "${NAP_MODULES##*waf*}" ]; then \
179+ cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources; \
180+ fi \
181+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
182+ cp /tmp/app-protect-dos.sources /etc/apt/sources.list.d/app-protect-dos.sources; \
183+ fi \
184+ && apt-get update \
179185 && apt-get upgrade -y \
180186 && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \
181187 && groupadd --system --gid 101 nginx \
@@ -196,6 +202,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
196202 && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
197203 && ldconfig \
198204 # # end of duplicated code
205+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
206+ rm -f /etc/apt/sources.list.d/app-protect.sources; \
207+ fi \
208+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
209+ rm -f /etc/apt/sources.list.d/app-protect-dos.sources; \
210+ fi \
199211 && rm -rf /var/lib/apt/lists/*
200212
201213# Uncomment the lines below if you want to install a custom CA certificate
@@ -232,10 +244,13 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
232244 --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
233245 --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \
234246 --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
235- --mount=type=bind,from=nginx-files,src=app-protect-9.repo,target=/etc/yum.repos.d /app-protect-9.repo \
247+ --mount=type=bind,from=nginx-files,src=app-protect-9.repo,target=/tmp /app-protect-9.repo \
236248 source /tmp/rhel_license \
249+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
250+ cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo; \
251+ fi \
237252 # # the code below is duplicated from the ubi-plus image because NAP WAF doesn't support UBI minimal versions
238- dnf --nodocs install -y shadow-utils ca-certificates \
253+ && dnf --nodocs install -y shadow-utils ca-certificates \
239254 && groupadd --system --gid 101 nginx \
240255 && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
241256 && rpm --import /tmp/nginx_signing.key \
@@ -252,12 +267,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
252267 && if [ -z "${NAP_MODULES##*waf*}" ]; then \
253268 dnf --nodocs install -y app-protect app-protect-attack-signatures app-protect-threat-campaigns; \
254269 fi \
255- && if [ -z "${NAP_MODULES##*dos*}" ]; then \
256- dnf --nodocs install -y app-protect-dos; \
257- fi \
258270 # fix for CVEs
259271 && dnf upgrade -y curl ncurses \
260272 && subscription-manager unregister \
273+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
274+ rm -f /etc/yum.repos.d/app-protect-9.repo; \
275+ fi \
261276 && dnf clean all
262277
263278# ############################################ Base image for UBI with NGINX Plus and App Protect WAF & DoS #############################################
@@ -270,11 +285,17 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
270285 --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
271286 --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \
272287 --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
273- --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/etc/yum.repos.d /app-protect-8.repo \
274- --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/etc/yum.repos.d /app-protect-dos-8.repo \
288+ --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/tmp /app-protect-8.repo \
289+ --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/tmp /app-protect-dos-8.repo \
275290 source /tmp/rhel_license \
291+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
292+ cp /tmp/app-protect-8.repo /etc/yum.repos.d/app-protect-8.repo; \
293+ fi \
294+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
295+ cp /tmp/app-protect-dos-8.repo /etc/yum.repos.d/app-protect-dos-8.repo; \
296+ fi \
276297 # # the code below is duplicated from the ubi-plus image because NAP DOS doesn't support UBI 9 and minimal versions
277- dnf --nodocs install -y shadow-utils ca-certificates \
298+ && dnf --nodocs install -y shadow-utils ca-certificates \
278299 && dnf update -y \
279300 && groupadd --system --gid 101 nginx \
280301 && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -298,6 +319,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
298319 # fix for CVEs
299320 && dnf upgrade -y curl ncurses \
300321 && subscription-manager unregister \
322+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
323+ rm -f /etc/yum.repos.d/app-protect-8.repo; \
324+ fi \
325+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
326+ rm -f /etc/yum.repos.d/app-protect-dos-8.repo; \
327+ fi \
301328 && dnf clean all
302329
303330# Uncomment the lines below if you want to install a custom CA certificate
0 commit comments