Thank you Ervin, I was wondering about the possibility of a trigger that would change the IncludeOptional to Include if the debian machine is running nginx.
Best regards, Salil On Mon, 15 Apr 2024 at 22:18, Ervin Hegedüs <airw...@gmail.com> wrote: > Hi Salil, > > Thanks for reporting. > > Unfortunately this is a known bug of libmodsecurity3 + Nginx: this > installation does not support the `IncludeOptional` directive. > > The workaround is that you change it manually. > > Note, that CRS team suggest (since CRS 4) to use the `Include` form in all > cases - see documentation: > > https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx > > > Regards, > > a. > > > On Thu, Apr 11, 2024 at 11:27 AM Salil Sayed <salilsa...@gmail.com> wrote: > >> Package: modsecurity-crs >> Version: 3.3.4-1 >> Severity: important >> Tags: newcomer >> X-Debbugs-Cc: salilsa...@gmail.com >> >> Dear Maintainer, >> >> I configured modsecurity for nginx using the available packages in the >> bookworm >> repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It >> worked like charm except with this package modsecuirty-crs. The two >> IncludeOptional directives in the file owasp-crs.load had to be changed to >> Include since nginx does not support IncludeOptional. This simply worked >> but by >> editing a file that the user is not supposed to edit and is likely to be >> overwritten on update. >> >> I believe there may be a way to make the whole modsecurity implementation >> to >> work out of the box for nginx as well by simply changing these two >> IncludeOptional directives to Include. Both of them include files that are >> already provided by the package hence IncludeOptional is redundant. >> >> Thanks, >> Salil >> >> >> >> -- System Information: >> Debian Release: 12.5 >> APT prefers stable-updates >> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, >> 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 6.1.0-17-amd64 (SMP w/8 CPU threads; PREEMPT) >> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, >> TAINT_UNSIGNED_MODULE >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE >> not set >> Shell: /bin/sh linked to /usr/bin/dash >> Init: systemd (via /run/systemd/system) >> LSM: AppArmor: enabled >> >> modsecurity-crs depends on no packages. >> >> modsecurity-crs recommends no packages. >> >> Versions of packages modsecurity-crs suggests: >> pn geoip-database-contrib <none> >> pn libapache2-mod-security2 <none> >> pn lua <none> >> pn python <none> >> pn ruby <none> >> >
