Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 726614

Summary: www-servers/nginx - Use modsecurity v3 to drop dependency on Apache
Product: Gentoo Linux Reporter: Sven Schwyn (svoop) <gentoo>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: RESOLVED FIXED    
Severity: normal CC: gbugs, hydrapolic, phmagic
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/26401
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: diff against current nginx ebuild
www-servers/nginx/nginx-1.21.6-r1.ebuild
www-misc/libmodsecurity/libmodsecurity-3.0.7.ebuild
www-misc/modsecurity/files/main.conf.example
www-misc/modsecurity-crs/modsecurity-crs-3.3.2.ebuild
www-servers/nginx/nginx-1.21.6-r2.ebuild

Description Sven Schwyn (svoop) 2020-06-01 07:57:57 UTC 
When installing Nginx with USE flag "security", the old modsecurity is emerged which requires a full install of Apache in order to fulfill dependencies.

However, there's an Apache-independent new version dubbed modescurity v3 available now from the same makers. This is taken from the README:

> The old version uses ModSecurity standalone, which is a wrapper for Apache
> internals to link ModSecurity to nginx. This current version is closer to
> nginx, consuming the new libmodsecurity which is no longer dependent on 
> Apache. As a result, this current version has less dependencies, fewer bugs, 
> and is faster. In addition, some new functionality is also provided - such 
> as the possibility of use of global rules configuration with per 
> directory/location customizations (e.g. SecRuleRemoveById).

https://github.com/SpiderLabs/ModSecurity-nginx

A hard switch would break existing installs, maybe better to either:

* Introduce a new USE flag such as "security_standalone" for modsecurity v3.
* Migrate the current USE flag to "security_legacy" for modsecurity <v3.


Reproducible: Always
Comment 1 Graham E 2022-07-08 13:49:44 UTC 
Created attachment 790604 [details]
diff against current nginx ebuild
Comment 2 Graham E 2022-07-08 13:51:29 UTC 
Hi All.

Not sure if this is still something that is wanted, but I'll attach my ebuild files for using the version 3.x of modsecurity, and the modsecurity-nginx module. I've used a flag of "libmodsecurity" rather than the old "security" flag from apache to differentiate.

I've also used www-misc/libmodsecurity as it didn't feel right leaving it in www-apache.

Hope this is useful for anyone who wants to try it.

Cheers,
Graham
Comment 3 Graham E 2022-07-08 13:52:38 UTC 
Created attachment 790607 [details]
www-servers/nginx/nginx-1.21.6-r1.ebuild
Comment 4 Graham E 2022-07-08 13:53:18 UTC 
Created attachment 790610 [details]
www-misc/libmodsecurity/libmodsecurity-3.0.7.ebuild
Comment 5 Graham E 2022-07-08 13:54:07 UTC 
Created attachment 790613 [details]
www-misc/modsecurity/files/main.conf.example
Comment 6 Graham E 2022-07-08 13:55:17 UTC 
Created attachment 790616 [details]
www-misc/modsecurity-crs/modsecurity-crs-3.3.2.ebuild
Comment 7 Graham E 2022-07-08 13:56:51 UTC 
Hi All,

Let me know if I've missed any attachments that are required.

Cheers,
Graham.
Comment 8 Graham E 2022-07-11 13:13:02 UTC 
Created attachment 791042 [details]
www-servers/nginx/nginx-1.21.6-r2.ebuild

Updated to new revision
Comment 9 Larry the Git Cow gentoo-dev 2022-07-19 17:21:16 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20163dcdde0d30f1d83f3d2cd08875be1a17a06a

commit 20163dcdde0d30f1d83f3d2cd08875be1a17a06a
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-14 17:41:01 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-07-19 17:20:43 +0000

    www-servers/nginx: add modsecurity v3 support
    
    Closes: https://bugs.gentoo.org/726614
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/Manifest               |    1 +
 www-servers/nginx/nginx-1.23.0-r1.ebuild | 1049 ++++++++++++++++++++++++++++++
 2 files changed, 1050 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10414bf03e312ad3f46e5639c270aaadf3eb181c

commit 10414bf03e312ad3f46e5639c270aaadf3eb181c
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-14 12:38:43 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-07-19 17:20:42 +0000

    dev-libs/modsecurity: new package
    
    Modsecurity is a library that can be used by Nginx:
    https://github.com/SpiderLabs/ModSecurity-nginx
    
    For Apache, Modsecurity 2.x is still recommended.
    
    Bug: https://bugs.gentoo.org/726614
    Closes: https://bugs.gentoo.org/718358
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 dev-libs/modsecurity/Manifest                 |  1 +
 dev-libs/modsecurity/metadata.xml             | 35 ++++++++++++
 dev-libs/modsecurity/modsecurity-3.0.7.ebuild | 80 +++++++++++++++++++++++++++
 3 files changed, 116 insertions(+)