On Fri, Jul 04, 2025 at 09:42:51PM +0000, Lloyd wrote: > Hi Ervin, please bear with me as it has been quite some time since I > set up modsecurity on this box and am not an expert.
apologize if it seemed like I wasn't patient. I think I can say usually I am :) > I have attempted to reconstruct the events during the upgrade. > > My understanding is the "IncludeOptional" in the default owasp-crs.load > is not compatible with nginx. yes, exactly. Just one small correction: it's not an Nginx directive in this case, but a rule set directive. That's the libary's task, not the engine's (Nginx) task. > It's likely that I removed this reference > ages ago to get things working. However, with the file now having been > overwritten, it's impossible to know for sure. You're right, this is a bit weird situation. The "explanation" is simple: modsecurity-crs was made for Apache (for libapache2-mod-security), and the whole SecLang syntax was build on top of Apache configuration syntax. The library (libmodsecurity3) must have to understand this syntax, and there are some missing keywords - like "IncludeOptional". > During the upgrade from bookworm -> trixie, modsecurity-crs package was > updated from version 3.3.4 to 3.3.7: > > Preparing to unpack .../132-modsecurity-crs_3.3.7-1_all.deb ... > Unpacking modsecurity-crs (3.3.7-1) over (3.3.4-1) ... yes, this was my feeling. > During the upgrade I received a prompt due to file > /etc/modsecurity/crs/crs-setup.conf being modified by me: > > Setting up modsecurity-crs (3.3.7-1) ... > Installing new version of config file > /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ... > Installing new version of config file > /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ... probably because those are user maintained files. > Note I received no warning that /usr/share/modsecurity-crs/owasp-crs.load > was modified! I speculate this is because the file is located in /usr that > dpkg/apt simply overwrote my changes with the new package version. > Thus reverting any removal of the IncludeOptional that may have been there. probably yes. > If this is what happened, I propose /usr/share is a poor location for > the config file and owasp-crs.load should be located in /etc so that > dpkg/apt can detect changes in the future. Otherwise it is sure to > break everytime the package is updated (if running nginx). yes. Let us figure out how can we solve this. A side note: even the CRS 3.3 is still maintained, if someone has a new instance, I recommend to use CRS4. CRS4 does not have package in Debian yet, but the (CRS) team decided that they change the versioning: we don't increase patch level, only the minor version (excpet if it's really necessary - but since the change we have never used this). So the releases are 4.0.0, 4.1.0, ... 4.16.0. Almost in every month the team releses a new version, so actually I don't know how can we handle this in Debian. Moreover, the "product's" name also changed: it's not "modsecurity-crs" anymore, but just simple CRS or CRS4. Also: if you already use CRS 3.3, then I don't suggest to switch to CRS4, except if you have strong skills to review the rules and existing exclusions. Regards, a.
