Hi Christian, Thanks for your response What is your advice? Let mod_random be proposed as another module that lives in parallele of mod_unique_id (my preference) ? Or move my code into mod_unique_id?
Kind Regards Le dim. 2 nov. 2025 à 17:24, Christian Folini via dev <[email protected]> a écrit : > On Sun, Nov 02, 2025 at 12:53:52PM +0100, Pierre Pilou wrote: > > mod_unique_id provides a unique but deterministic variable based on a > > timestamp and a counter. The counter requires a lock via apr_atomic_inc32 > > to guarantee the correlation between requests (and could be a performance > > issue). I thought this module was mainly used for correlation in a > logging > > system rather than for use in a security system. > > I'm sure that's the main use. But entropy is very hard to come by within > the Apache config / ModSecurity rule language. And this is what we came up > with. > > For those interested, here is the rules in question: > > > https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-901-INITIALIZATION.conf#L400 > > If we could get that out of a mod_unique_id environment variable, it would > be much easier. > > Best, > > Christian > > > -- > It's really hard to innovate if you're afraid to open your mouth. > -- Greg Lukianoff >
