add alpine-fips-waf image

[pdabelf5]

Proposed changes

Add FIPS enabled Alpine 3.17 image with NAP WAF installed.
Add FIPS enabled Alpine 3.19 image.

Testing

• install FIPS capable OS (RHEL 9 in this case)
• Enable FIPS compliance on the host OS

cat /proc/sys/crypto/fips_enabled # should be 0
sudo fips-mode-setup --enable
sudo reboot 
# Upon reboot
cat /proc/sys/crypto/fips_enabled # should be 1

• The Redhat OS has FIPS compliant packages installed already (openssl in this case)
• Install Podman to run container images (podman can be replaced with docker on supported systems)

sudo dnf install podman

• Ensure FIPS image is available to podman either using podman pull <image> or podman load -i <path_to_image_tgz>
• Run an interactive shell on the FIPS enabled image

podman run -it --entrypoint "" -p 8443:443 <image> /bin/sh

• Generate TLS certificates for NGINX

mkdir /etc/nginx/ssl
openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/test.key -x509 -days 365 -out /etc/nginx/ssl/test.crt

• Configure NGINX with TLS enabled server block

cat > /etc/nginx/conf.d/default.conf << EOF
server {
    listen 443 ssl;

    ssl_certificate     /etc/nginx/ssl/test.crt;
    ssl_certificate_key /etc/nginx/ssl/test.key;

    ssl_protocols   	TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}
EOF

• Ensure NGINX can write the PID file

sed -i 's#/var/run/nginx.pid#/var/log/nginx/nginx.pid#' /etc/nginx/nginx.conf

• Run NGINX

nginx
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2

• On another terminal with access to the exposed container run (should succeed, choosing a strong cipher)

 (echo "GET /" ; sleep 1) | openssl s_client -connect localhost:8443

• On another terminal with access to the exposed container run (should fail, due to a weak cipher)

 (echo "GET /" ; sleep 1) | openssl s_client -connect localhost:8443 -cipher CAMELLIA256-SHA

If the same steps are taken on a host without FIPS enabled, the check with the weak cipher would succeed too.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork