Package: libnginx-mod-http-modsecurity Version: 1.0.3-2+b2 I was testing out a simple install of ModSecurity with NGINX in a Debian 13 container (Docker debian:13). After installing `libnginx-mod-http-modsecurity`, I removed the default /etc/nginx/sites-enabled/default file and added the /etc/nginx/sites-enabled/default-modsecurity.conf file, uncommenting the `modsecurity on;` and `modsecurity_rules_file /etc/nginx/modsecurity_includes.conf;` directives. Then I editted the /etc/nginx/modsecurity_includes.conf file by uncommenting the `include /usr/share/modsecurity-crs/owasp-crs.load` directive. Then, starting nginx gets this error:
2026/02/14 22:50:24 [emerg] 3594#3594: "modsecurity_rules_file" directive Rules error. File: /usr/share/modsecurity-crs/owasp-crs.load. Line: 6. Column: 81. Invalid input: IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf in /etc/nginx/sites-enabled/default-modsecurity.conf:51 It is simple enough to fix by changing `IncludeOptional` in /usr/share/modsecurity-crs/owasp-crs.load to just `Include`. I understand that file belongs to the `modsecurity-crs` but I believe that is shared between the Nginx and Apache configurations so I wasn't sure which page to package to file the bug with. I'm not sure if it makes sense to update that file in the `modsecurity-crs` package to just use include since that would work for both webservers, or if this package should provide a separate file that works out of the box with the Nginx configuration. Best Regards, Robert Gingras [email protected]
