Bug#1068797: modsecurity-crs: IncludeOptional in file owasp-crs.load is incompatible with nginx
Thank you Ervin, I was wondering about the possibility of a trigger that would change the IncludeOptional to Include if the debian machine is running nginx. Best regards, Salil On Mon, 15 Apr 2024 at 22:18, Ervin Hegedüs wrote: > Hi Salil, > > Thanks for reporting. > > Unfortunately this is a known bug of libmodsecurity3 + Nginx: this > installation does not support the `IncludeOptional` directive. > > The workaround is that you change it manually. > > Note, that CRS team suggest (since CRS 4) to use the `Include` form in all > cases - see documentation: > > https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx > > > Regards, > > a. > > > On Thu, Apr 11, 2024 at 11:27 AM Salil Sayed wrote: > >> Package: modsecurity-crs >> Version: 3.3.4-1 >> Severity: important >> Tags: newcomer >> X-Debbugs-Cc: salilsa...@gmail.com >> >> Dear Maintainer, >> >> I configured modsecurity for nginx using the available packages in the >> bookworm >> repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It >> worked like charm except with this package modsecuirty-crs. The two >> IncludeOptional directives in the file owasp-crs.load had to be changed to >> Include since nginx does not support IncludeOptional. This simply worked >> but by >> editing a file that the user is not supposed to edit and is likely to be >> overwritten on update. >> >> I believe there may be a way to make the whole modsecurity implementation >> to >> work out of the box for nginx as well by simply changing these two >> IncludeOptional directives to Include. Both of them include files that are >> already provided by the package hence IncludeOptional is redundant. >> >> Thanks, >> Salil >> >> >> >> -- System Information: >> Debian Release: 12.5 >> APT prefers stable-updates >> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, >> 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT) >> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, >> TAINT_UNSIGNED_MODULE >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE >> not set >> Shell: /bin/sh linked to /usr/bin/dash >> Init: systemd (via /run/systemd/system) >> LSM: AppArmor: enabled >> >> modsecurity-crs depends on no packages. >> >> modsecurity-crs recommends no packages. >> >> Versions of packages modsecurity-crs suggests: >> pn geoip-database-contrib >> pn libapache2-mod-security2 >> pn lua >> pn python >> pn ruby >> >
Bug#1068797: modsecurity-crs: IncludeOptional in file owasp-crs.load is incompatible with nginx
Hi Salil, Thanks for reporting. Unfortunately this is a known bug of libmodsecurity3 + Nginx: this installation does not support the `IncludeOptional` directive. The workaround is that you change it manually. Note, that CRS team suggest (since CRS 4) to use the `Include` form in all cases - see documentation: https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx Regards, a. On Thu, Apr 11, 2024 at 11:27 AM Salil Sayed wrote: > Package: modsecurity-crs > Version: 3.3.4-1 > Severity: important > Tags: newcomer > X-Debbugs-Cc: salilsa...@gmail.com > > Dear Maintainer, > > I configured modsecurity for nginx using the available packages in the > bookworm > repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It > worked like charm except with this package modsecuirty-crs. The two > IncludeOptional directives in the file owasp-crs.load had to be changed to > Include since nginx does not support IncludeOptional. This simply worked > but by > editing a file that the user is not supposed to edit and is likely to be > overwritten on update. > > I believe there may be a way to make the whole modsecurity implementation > to > work out of the box for nginx as well by simply changing these two > IncludeOptional directives to Include. Both of them include files that are > already provided by the package hence IncludeOptional is redundant. > > Thanks, > Salil > > > > -- System Information: > Debian Release: 12.5 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging') > Architecture: amd64 (x86_64) > > Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE > not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > modsecurity-crs depends on no packages. > > modsecurity-crs recommends no packages. > > Versions of packages modsecurity-crs suggests: > pn geoip-database-contrib > pn libapache2-mod-security2 > pn lua > pn python > pn ruby >
Bug#1068797: modsecurity-crs: IncludeOptional in file owasp-crs.load is incompatible with nginx
Package: modsecurity-crs Version: 3.3.4-1 Severity: important Tags: newcomer X-Debbugs-Cc: salilsa...@gmail.com Dear Maintainer, I configured modsecurity for nginx using the available packages in the bookworm repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It worked like charm except with this package modsecuirty-crs. The two IncludeOptional directives in the file owasp-crs.load had to be changed to Include since nginx does not support IncludeOptional. This simply worked but by editing a file that the user is not supposed to edit and is likely to be overwritten on update. I believe there may be a way to make the whole modsecurity implementation to work out of the box for nginx as well by simply changing these two IncludeOptional directives to Include. Both of them include files that are already provided by the package hence IncludeOptional is redundant. Thanks, Salil -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled modsecurity-crs depends on no packages. modsecurity-crs recommends no packages. Versions of packages modsecurity-crs suggests: pn geoip-database-contrib pn libapache2-mod-security2 pn lua pn python pn ruby