# ============================================================================= # Platform container — Rocky Linux 9 # Runs: Apache (HTTPS) + mod-reqin-log + sentinel + correlator # # Multi-stage: # 1. go-builder — compile correlator (static, no CGO) on golang image # 2. platform — Rocky Linux 9: builds sentinel (CGO+libpcap), mod-reqin-log, # installs Apache, runs everything # # sentinel is compiled on Rocky so it links against the same libpcap as runtime. # This mirrors RPM packaging where build and target are the same distro. # ============================================================================= # --------------------------------------------------------------------------- # Stage 1: Build correlator (static binary, no CGO — distro-independent) # --------------------------------------------------------------------------- FROM golang:1.24 AS go-builder WORKDIR /src COPY go.work go.work.sum* ./ COPY shared/go/ja4common/ shared/go/ja4common/ COPY services/correlator/ services/correlator/ COPY services/sentinel/ services/sentinel/ RUN cd services/correlator && \ CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/correlator ./cmd/logcorrelator # --------------------------------------------------------------------------- # Stage 2: Rocky Linux 9 — build sentinel + mod-reqin-log, then run everything # --------------------------------------------------------------------------- FROM rockylinux:9 # Install build deps + runtime deps RUN dnf install -y --allowerasing \ httpd httpd-devel mod_ssl \ apr-devel apr-util-devel \ gcc make redhat-rpm-config \ libpcap \ golang \ procps-ng curl \ && dnf install -y --enablerepo=crb libpcap-devel \ && dnf clean all # -- Build sentinel on Rocky (CGO + libpcap from Rocky repos) --------------- COPY go.work go.work.sum* /tmp/sentinel-build/ COPY shared/go/ja4common/ /tmp/sentinel-build/shared/go/ja4common/ COPY services/sentinel/ /tmp/sentinel-build/services/sentinel/ COPY services/correlator/ /tmp/sentinel-build/services/correlator/ RUN cd /tmp/sentinel-build/services/sentinel && \ CGO_ENABLED=1 go build -ldflags="-s -w" -o /usr/local/bin/sentinel ./cmd/ja4sentinel && \ rm -rf /tmp/sentinel-build /root/go # -- Build mod-reqin-log from source ----------------------------------------- COPY services/mod-reqin-log/src/ /tmp/mod-reqin-log/src/ COPY services/mod-reqin-log/Makefile /tmp/mod-reqin-log/Makefile RUN cd /tmp/mod-reqin-log && make all && \ cp modules/mod_reqin_log.so /usr/lib64/httpd/modules/ 2>/dev/null || \ cp build/.libs/mod_reqin_log.so /usr/lib64/httpd/modules/ && \ rm -rf /tmp/mod-reqin-log # -- Copy correlator from builder (static binary, no deps) ------------------- COPY --from=go-builder /out/correlator /usr/local/bin/correlator # -- Create runtime directories ---------------------------------------------- RUN mkdir -p /var/run/logcorrelator \ /var/log/logcorrelator \ /var/log/ja4sentinel \ /etc/logcorrelator \ /etc/ja4sentinel # -- Correlator config ------------------------------------------------------- COPY tests/integration/platform/correlator.yml /etc/logcorrelator/correlator.yml # -- Sentinel config ---------------------------------------------------------- COPY tests/integration/platform/sentinel.yml /etc/ja4sentinel/config.yml # -- Apache config (HTTPS + mod-reqin-log) ------------------------------------ COPY tests/integration/platform/httpd-integration.conf /etc/httpd/conf.d/integration.conf # -- Generate self-signed TLS certificate ------------------------------------- RUN openssl req -x509 -nodes -days 365 \ -subj "/CN=platform.test" \ -newkey rsa:2048 \ -keyout /etc/pki/tls/private/localhost.key \ -out /etc/pki/tls/certs/localhost.crt # -- Simple health endpoint for Apache --------------------------------------- RUN mkdir -p /var/www/html && \ echo '{"status":"ok"}' > /var/www/html/health # -- Entrypoint (manages all processes) -------------------------------------- COPY tests/integration/platform/entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh EXPOSE 80 443 CMD ["/entrypoint.sh"]