Hi Salil, Thanks for reporting.
Unfortunately this is a known bug of libmodsecurity3 + Nginx: this installation does not support the `IncludeOptional` directive. The workaround is that you change it manually. Note, that CRS team suggest (since CRS 4) to use the `Include` form in all cases - see documentation: https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx Regards, a. On Thu, Apr 11, 2024 at 11:27 AM Salil Sayed <salilsa...@gmail.com> wrote: > Package: modsecurity-crs > Version: 3.3.4-1 > Severity: important > Tags: newcomer > X-Debbugs-Cc: salilsa...@gmail.com > > Dear Maintainer, > > I configured modsecurity for nginx using the available packages in the > bookworm > repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It > worked like charm except with this package modsecuirty-crs. The two > IncludeOptional directives in the file owasp-crs.load had to be changed to > Include since nginx does not support IncludeOptional. This simply worked > but by > editing a file that the user is not supposed to edit and is likely to be > overwritten on update. > > I believe there may be a way to make the whole modsecurity implementation > to > work out of the box for nginx as well by simply changing these two > IncludeOptional directives to Include. Both of them include files that are > already provided by the package hence IncludeOptional is redundant. > > Thanks, > Salil > > > > -- System Information: > Debian Release: 12.5 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging') > Architecture: amd64 (x86_64) > > Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE > not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > modsecurity-crs depends on no packages. > > modsecurity-crs recommends no packages. > > Versions of packages modsecurity-crs suggests: > pn geoip-database-contrib <none> > pn libapache2-mod-security2 <none> > pn lua <none> > pn python <none> > pn ruby <none> >