Switch Apache Debian image to Docker hardened image (dhi.io/httpd)

[Copilot]

• Update docker-bake.hcl: change the Apache Debian variant's runtime image to dhi.io/httpd:${httpd-version}, add build_image = httpd:${httpd-version} for build stages, add build_image to alpine entry too (same as image), propagate build_image context in the target; sync version bumps from main (modsec2 2.9.13, modsec3 3.0.15, CRS 4.26.0, nginx 1.30.0, httpd 2.4.67); restore v4-lts-crs-version variable that was accidentally merged into major-crs-version
• Update apache/Dockerfile:
  • Replace FROM image AS build/crs_release with FROM build_image
  • Add FROM build_image AS runtime_deps stage that installs runtime packages and collects them into /staging/ via dpkg -L
  • Replace apt-get install block in final stage with COPY --from=runtime_deps /staging/ /
  • Remove RUN useradd --system httpd; change httpd → www-data for chown and USER
  • Remove gnupg from runtime
  • Use USER 0 (numeric root UID) before the privileged setup RUN — hardened image has no named root user in /etc/passwd
  • Switch from wget + tar to git clone --recursive for ModSecurity v2 (needed for libinjection submodule)
• Update .github/workflows/publish.yml: add docker/login-action step to authenticate to dhi.io registry
• Update .github/workflows/verifyimage.yml: add docker/login-action step; update GO_FTW_VERSION to 2.1.0 (sync from main)
• Update README.md: note Apache Debian uses Docker hardened base image; sync version numbers from main

[fzipi]

@copilot fix the ci

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d971755-fe19-4794-a528-9c9ee0362429

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/switch-apache-debian-to-hardened-image

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

@copilot fix the ci

Fixed in d2ee167. The hardened dhi.io/httpd image defaults to running as www-data, so the mkdir/sed/chown setup step was failing with "Permission denied". Added USER root before that RUN block (matching the pattern used in the nginx Dockerfile), then USER www-data is restored at the end.

[fzipi]

@copilot rebase and fix conflicts. CI is still failing also.

[Copilot]

@copilot rebase and fix conflicts. CI is still failing also.

Fixed in 48faaf5 and d4e6e76. The remaining CI failures were:

1. USER root → USER 0 — the hardened dhi.io/httpd image has no named root user in /etc/passwd; using the numeric UID 0 works correctly.
2. Version sync from main — updated modsec2 (2.9.12→2.9.13), modsec3 (3.0.14→3.0.15), CRS (4.25.0→4.26.0), nginx (1.28.2→1.30.0), httpd (2.4.66→2.4.67) and restored the missing v4-lts-crs-version variable.
3. go-ftw version — updated GO_FTW_VERSION from 1.3.0 to 2.1.0 in verifyimage.yml (sync from main).
4. ModSecurity v2 download — switched from wget+tar to git clone --recursive (needed for the libinjection submodule, also landed on main in the interim).

The branch is now forward of the remote without a rebase, so no force-push was needed.