Ervin Hegedüs wrote:
> The problem is that libmodsecurity3 (the WAF library that Nginx
> uses via libngnx-mod-http-modsecurity module) does not support
> `IncludeOptional` directive.
>
> If someone install the package first, this issue comes always.
>
> Now you upgraded the system, and you upgraded modsecurity-crs
> package too - which overrided your `Include` directive (I guess).
>
> I think we should replace the mentioned `IncludeOptional`
> directive with the `Include`.
Hi Ervin, please bear with me as it has been quite some time since I
set up modsecurity on this box and am not an expert.
I have attempted to reconstruct the events during the upgrade.
My understanding is the "IncludeOptional" in the default owasp-crs.load
is not compatible with nginx. It's likely that I removed this reference
ages ago to get things working. However, with the file now having been
overwritten, it's impossible to know for sure.
During the upgrade from bookworm -> trixie, modsecurity-crs package was
updated from version 3.3.4 to 3.3.7:
Preparing to unpack .../132-modsecurity-crs_3.3.7-1_all.deb ...
Unpacking modsecurity-crs (3.3.7-1) over (3.3.4-1) ...
During the upgrade I received a prompt due to file
/etc/modsecurity/crs/crs-setup.conf being modified by me:
Setting up modsecurity-crs (3.3.7-1) ...
Installing new version of config file
/etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ...
Installing new version of config file
/etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ...
Configuration file '/etc/modsecurity/crs/crs-setup.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** crs-setup.conf (Y/I/N/O/D/Z) [default=N] ?
Setting up libldap-common (2.6.10+dfsg-1) ...
Installing new version of config file /etc/ldap/ldap.conf ...
Note I received no warning that /usr/share/modsecurity-crs/owasp-crs.load
was modified! I speculate this is because the file is located in /usr that
dpkg/apt simply overwrote my changes with the new package version.
Thus reverting any removal of the IncludeOptional that may have been there.
If this is what happened, I propose /usr/share is a poor location for
the config file and owasp-crs.load should be located in /etc so that
dpkg/apt can detect changes in the future. Otherwise it is sure to
break everytime the package is updated (if running nginx).
Regards
Lloyd
