docker: bump angie from 1.10.3 to 1.11.0 in /angie

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025
+Copyright (c) 2025 hvaclab
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

angie/Dockerfile

@@ -10,9 +10,10 @@
 # ------------------------------------------------------------------------------
 FROM alpine:3.21 AS crs-builder
 
-# Install git for cloning CRS (pinned version for reproducibility)
+# Update packages and install git for cloning CRS
 # hadolint ignore=DL3018
-RUN apk add --no-cache git~=2.47
+RUN apk upgrade --no-cache && \
+    apk add --no-cache git
 
 # Clone OWASP CoreRuleSet (auto-updated on each build)
 ARG CRS_VERSION=v4.18.0
@@ -42,17 +43,17 @@ RUN mkdir -p /crs && \
 # ------------------------------------------------------------------------------
 # Pin to specific Angie version for reproducibility
 # Check for updates: https://angie.software/en/install/
-FROM docker.angie.software/angie:1.10.3
+FROM docker.angie.software/angie:1.11.1
 
-LABEL maintainer="your-email@example.com"
+LABEL maintainer="hvaclab"
 LABEL description="Angie web server with ModSecurity WAF and OWASP CRS"
 LABEL version="1.0.0"
 LABEL org.opencontainers.image.source="https://github.com/hvaclab/angie-modsecurity-docker"
 
-# Install tools for auto-setup (curl for GeoIP, openssl for DH params)
-# Versions pinned for reproducibility (Alpine 3.21 packages)
+# Update system packages to get security patches, then install tools
 # hadolint ignore=DL3018
-RUN apk add --no-cache curl~=8.14 openssl~=3.3
+RUN apk upgrade --no-cache && \
+    apk add --no-cache curl openssl
 
 # Copy CRS rules from builder
 COPY --from=crs-builder /crs/coreruleset /var/lib/angie/modsecurity/coreruleset

compose.yml

@@ -134,7 +134,7 @@ services:
       - "com.angie-modsecurity-docker.description=OAuth2 authentication proxy"
 
   fail2ban:
-    image: crazymax/fail2ban:latest
+    image: crazymax/fail2ban:1.1.0
     container_name: ${COMPOSE_PROJECT_NAME:-angie}-fail2ban
     restart: unless-stopped
     network_mode: "host"

scripts/check-ssl-expiry.sh

@@ -14,7 +14,7 @@ ALERT_DAYS=14  # Предупреждать за 14 дней до истечен
 EMAIL="admin@example.com"  # Замените на ваш email
 
 # Получить дату истечения сертификата
-EXPIRY_DATE=$(docker exec angie openssl x509 -in /var/lib/angie/acme/certificates/$DOMAIN.crt -noout -enddate 2>/dev/null | cut -d= -f2)
+EXPIRY_DATE=$(docker exec angie openssl x509 -in "/var/lib/angie/acme/certificates/${DOMAIN}.crt" -noout -enddate 2>/dev/null | cut -d= -f2)
 
 if [ -z "$EXPIRY_DATE" ]; then
     echo "ОШИБКА: Не удалось получить дату истечения сертификата для $DOMAIN"
@@ -41,7 +41,7 @@ if [ $DAYS_LEFT -lt 0 ]; then
 
     # Отправить alert (если настроен mail)
     if command -v mail &> /dev/null; then
-        echo "КРИТИЧНО: SSL сертификат $DOMAIN истёк $DAYS_LEFT дней назад!" | mail -s "SSL ALERT: $DOMAIN" $EMAIL
+        echo "КРИТИЧНО: SSL сертификат $DOMAIN истёк $DAYS_LEFT дней назад!" | mail -s "SSL ALERT: $DOMAIN" "$EMAIL"
     fi
 
     exit 2
@@ -53,7 +53,7 @@ elif [ $DAYS_LEFT -lt $ALERT_DAYS ]; then
 
     # Отправить warning (если настроен mail)
     if command -v mail &> /dev/null; then
-        echo "ВНИМАНИЕ: SSL сертификат $DOMAIN истекает через $DAYS_LEFT дней" | mail -s "SSL WARNING: $DOMAIN" $EMAIL
+        echo "ВНИМАНИЕ: SSL сертификат $DOMAIN истекает через $DAYS_LEFT дней" | mail -s "SSL WARNING: $DOMAIN" "$EMAIL"
     fi
 
     exit 1

scripts/rotate-logs.sh

@@ -42,7 +42,7 @@ rotate_log "error.log"
 docker exec angie angie -s reopen 2>/dev/null || echo "Warning: Could not reopen logs"
 
 # Удаляем логи старше KEEP_DAYS дней
-find "$LOG_DIR" -name "*.log.*.gz" -mtime +${KEEP_DAYS} -delete
+find "$LOG_DIR" -name "*.log.*.gz" -mtime +"${KEEP_DAYS}" -delete
 echo "Deleted logs older than ${KEEP_DAYS} days"
 
 # Статистика

scripts/test-local.sh

@@ -63,10 +63,10 @@ setup_test_certs() {
         log_info "Generated self-signed certificate"
     fi
 
-    # Generate DH params if not exists (small for speed)
+    # Generate DH params if not exists (2048-bit for security)
     if [ ! -f certs/dhparam.pem ]; then
-        openssl dhparam -out certs/dhparam.pem 1024 2>/dev/null
-        log_info "Generated DH parameters"
+        openssl dhparam -out certs/dhparam.pem 2048 2>/dev/null
+        log_info "Generated DH parameters (2048-bit)"
     fi
 }
 
@@ -83,7 +83,7 @@ start_container() {
     # Wait for container to be healthy
     log_info "Waiting for container to become healthy..."
     for i in {1..30}; do
-        STATUS=$(docker inspect --format='{{.State.Health.Status}}' $CONTAINER_NAME 2>/dev/null || echo "not_found")
+        STATUS=$(docker inspect --format='{{.State.Health.Status}}' "$CONTAINER_NAME" 2>/dev/null || echo "not_found")
         if [ "$STATUS" = "healthy" ]; then
             log_info "Container is healthy!"
             return 0
@@ -95,7 +95,7 @@ start_container() {
     done
 
     log_error "Container did not become healthy in 60 seconds"
-    docker logs $CONTAINER_NAME
+    docker logs "$CONTAINER_NAME"
     return 1
 }
 
@@ -151,7 +151,7 @@ run_tests() {
 
     # Test 6: No critical errors in logs
     echo -n "  Checking logs for errors... "
-    if docker logs $CONTAINER_NAME 2>&1 | grep -qi "emerg\|crit"; then
+    if docker logs "$CONTAINER_NAME" 2>&1 | grep -qi "emerg\|crit"; then
         echo -e "${RED}FAIL${NC} (critical errors found)"
         FAILED=1
     else
@@ -215,6 +215,6 @@ else
     log_error "Some tests failed!"
     echo ""
     echo "Container logs:"
-    docker logs $CONTAINER_NAME 2>&1 | tail -20
+    docker logs "$CONTAINER_NAME" 2>&1 | tail -20
     exit 1
 fi

scripts/test-rate-limiting.sh

@@ -20,9 +20,9 @@ echo ""
 echo "Отправка запросов..."
 echo ""
 
-for i in $(seq 1 $REQUESTS); do
+for i in $(seq 1 "$REQUESTS"); do
     # Отправить запрос и получить HTTP код
-    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k $URL)
+    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k "$URL")
 
     if [ "$HTTP_CODE" = "200" ]; then
         SUCCESS=$((SUCCESS + 1))