When installing Nginx with USE flag "security", the old modsecurity is emerged which requires a full install of Apache in order to fulfill dependencies.
However, there's an Apache-independent new version dubbed modescurity v3 available now from the same makers. This is taken from the README:
> The old version uses ModSecurity standalone, which is a wrapper for Apache
> internals to link ModSecurity to nginx. This current version is closer to
> nginx, consuming the new libmodsecurity which is no longer dependent on
> Apache. As a result, this current version has less dependencies, fewer bugs,
> and is faster. In addition, some new functionality is also provided - such
> as the possibility of use of global rules configuration with per
> directory/location customizations (e.g. SecRuleRemoveById).
A hard switch would break existing installs, maybe better to either:
* Introduce a new USE flag such as "security_standalone" for modsecurity v3.
* Migrate the current USE flag to "security_legacy" for modsecurity <v3.