Hey Pierre, I'm not an Apache developer, so my proposals don't matter.
Yet from an operational standpoint, it is far easier to use a new functionality in an existing module (that is already a prerequisite for ModSecurity in this particular case), then convincing your users to add a new module. Best, Christian On Sun, Nov 02, 2025 at 05:42:16PM +0100, Pierre Pilou wrote: > Hi Christian, > Thanks for your response > What is your advice? Let mod_random be proposed as another module that > lives in parallele of mod_unique_id (my preference) ? Or move my code into > mod_unique_id? > > Kind Regards > > Le dim. 2 nov. 2025 à 17:24, Christian Folini via dev <[email protected]> > a écrit : > > > On Sun, Nov 02, 2025 at 12:53:52PM +0100, Pierre Pilou wrote: > > > mod_unique_id provides a unique but deterministic variable based on a > > > timestamp and a counter. The counter requires a lock via apr_atomic_inc32 > > > to guarantee the correlation between requests (and could be a performance > > > issue). I thought this module was mainly used for correlation in a > > logging > > > system rather than for use in a security system. > > > > I'm sure that's the main use. But entropy is very hard to come by within > > the Apache config / ModSecurity rule language. And this is what we came up > > with. > > > > For those interested, here is the rules in question: > > > > > > https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-901-INITIALIZATION.conf#L400 > > > > If we could get that out of a mod_unique_id environment variable, it would > > be much easier. > > > > Best, > > > > Christian > > > > > > -- > > It's really hard to innovate if you're afraid to open your mouth. > > -- Greg Lukianoff > >
