Dear Maintainer,

I configured modsecurity for nginx using the available packages in the bookworm
repository; namely, libmodsecurity3 and libnginx-mod-http-modsecurity. It
worked like charm except with this package modsecuirty-crs. The two
IncludeOptional directives in the file owasp-crs.load had to be changed to
Include since nginx does not support IncludeOptional. This simply worked but by
editing a file that the user is not supposed to edit and is likely to be
overwritten on update.

I believe there may be a way to make the whole modsecurity implementation to
work out of the box for nginx as well by simply changing these two
IncludeOptional directives to Include. Both of them include files that are
already provided by the package hence IncludeOptional is redundant.

Thanks,
Salil

Hi Salil,

Thanks for reporting.

Unfortunately this is a known bug of libmodsecurity3 + Nginx: this
installation does not support the `IncludeOptional` directive.

The workaround is that you change it manually.

Note, that CRS team suggest (since CRS 4) to use the `Include` form in all
cases - see documentation:
https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx


Regards,

a.

Hi Salil,

Thanks for reporting.

Unfortunately this is a known bug of libmodsecurity3 + Nginx: this
installation does not support the `IncludeOptional` directive.

The workaround is that you change it manually.

Note, that CRS team suggest (since CRS 4) to use the `Include` form in all
cases - see documentation:
https://coreruleset.org/docs/deployment/extended_install/#includes-for-nginx


Regards,

a.

Thank you Ervin,

I was wondering about the possibility of a trigger that would change the
IncludeOptional to Include if the debian machine is running nginx.

Best regards,

Salil

Thank you Ervin,

I was wondering about the possibility of a trigger that would change the
IncludeOptional to Include if the debian machine is running nginx.

Best regards,

Salil