Future plans? #80
Comments
|
I've come to the conclusion that ModSecurity-Apache isn't ready for production use. Its behaviour is different to ModSecurity 2.9.3 and seems to not work 100% yet. I feel like #77 (comment) sums it up perfectly, it's not ready for a release, no matter how many guides on the internet seem to suggest it is. I look forward to development continuing and a stable release being made in the future, for now, I'm stuck with ModSecurity 2.9.3 if I want to use it with Apache. |
|
Yes, me too. |
|
Apologies to those in the community feeling vexed about slow/no responses in this repo's issues. (Personally, since joining the team, it simply didn't occur to me to register for notifications for this repo.) The citation in the second posting here is accurate. ModSecurity-Apache is not considered production-ready. Much of the functionality works correctly but enough does not, so v2.9.x is still the recommended choice for use with Apache HTTP Server. Note that just because ModSecurity v2.9.x has a lower number does not mean that it is less good than libModSecurity (aka v3). @Neko-Chang-Taiwan : I'm not sure what problems you are experiencing with v2.9. I couldn't find any open issues in the ModSecurity issue. Keep in mind that many types of false positives have more to do with the rules you are using as opposed to what the engine is doing. If there is a something the ModSecurity engine is doing that you believe is incorrect, or you believe could benefit from an enhancement, feel free to raise it on the ModSecurity repo. |
The modsecurity2 package provides an Apache module implementing a web application firewall (WAF) module. Based on initial work from Tom Marcuzzi <tom.marcuzzi@orolia.com> and Nicolas Carrier <nicolas.carrier@orolia.com> modsecurity2 will be superseeded sooner or later by modsecurity v3 ie. libmodsecurity [1] and its Apache connector [2]. libmodsecurity is already supported in Buildroot with its Nginx connector. According to the Apache connector web page and the discussion [3], the Apache connector is not ready for production use. [1] https://github.com/SpiderLabs/ModSecurity [2] https://github.com/SpiderLabs/ModSecurity-apache [3] owasp-modsecurity/ModSecurity-apache#80 The best we can do now is to still use modsecurity2 (v2.9.x) for Apache: https://github.com/SpiderLabs/ModSecurity/tree/v2/master Signed-off-by: Herve Codina <herve.codina@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
owasp-modsecurity/ModSecurity-apache@0488c77 owasp-modsecurity/ModSecurity-apache#80 NOTE: This project is not production ready This project should be considered under development and not production ready. The functionality is not complete and so should not be used. With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x. Sponsored by: Netzkommune GmbH
|
It's been a while since last update on this project and the note says it's not ready for production use. Do you know if there are any plans for a production release? |
|
@iplparm , There are no current plans for additional work on this connector over the coming months. The recommended version for use with Apache continues to be ModSecurity v2.9.x. |
Now that the last functional commit is years back and the few pull requests are just hanging, does this mean the Apache v3 port has fallen out of grace? Is everybody using nginx?
The text was updated successfully, but these errors were encountered: