Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 726614

Summary: www-servers/nginx - Use modsecurity v3 to drop dependency on Apache
Product: Gentoo Linux Reporter: Sven Schwyn (svoop) <gentoo>
Component: Current packagesAssignee: Thomas Deutschmann <whissi>
Status: UNCONFIRMED ---    
Severity: normal CC: gbugs, hydrapolic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sven Schwyn (svoop) 2020-06-01 07:57:57 UTC
When installing Nginx with USE flag "security", the old modsecurity is emerged which requires a full install of Apache in order to fulfill dependencies.

However, there's an Apache-independent new version dubbed modescurity v3 available now from the same makers. This is taken from the README:

> The old version uses ModSecurity standalone, which is a wrapper for Apache
> internals to link ModSecurity to nginx. This current version is closer to
> nginx, consuming the new libmodsecurity which is no longer dependent on 
> Apache. As a result, this current version has less dependencies, fewer bugs, 
> and is faster. In addition, some new functionality is also provided - such 
> as the possibility of use of global rules configuration with per 
> directory/location customizations (e.g. SecRuleRemoveById).

https://github.com/SpiderLabs/ModSecurity-nginx

A hard switch would break existing installs, maybe better to either:

* Introduce a new USE flag such as "security_standalone" for modsecurity v3.
* Migrate the current USE flag to "security_legacy" for modsecurity <v3.


Reproducible: Always