When installing Nginx with USE flag "security", the old modsecurity is emerged which requires a full install of Apache in order to fulfill dependencies. However, there's an Apache-independent new version dubbed modescurity v3 available now from the same makers. This is taken from the README: > The old version uses ModSecurity standalone, which is a wrapper for Apache > internals to link ModSecurity to nginx. This current version is closer to > nginx, consuming the new libmodsecurity which is no longer dependent on > Apache. As a result, this current version has less dependencies, fewer bugs, > and is faster. In addition, some new functionality is also provided - such > as the possibility of use of global rules configuration with per > directory/location customizations (e.g. SecRuleRemoveById). https://github.com/SpiderLabs/ModSecurity-nginx A hard switch would break existing installs, maybe better to either: * Introduce a new USE flag such as "security_standalone" for modsecurity v3. * Migrate the current USE flag to "security_legacy" for modsecurity <v3. Reproducible: Always
Created attachment 790604 [details] diff against current nginx ebuild
Hi All. Not sure if this is still something that is wanted, but I'll attach my ebuild files for using the version 3.x of modsecurity, and the modsecurity-nginx module. I've used a flag of "libmodsecurity" rather than the old "security" flag from apache to differentiate. I've also used www-misc/libmodsecurity as it didn't feel right leaving it in www-apache. Hope this is useful for anyone who wants to try it. Cheers, Graham
Created attachment 790607 [details] www-servers/nginx/nginx-1.21.6-r1.ebuild
Created attachment 790610 [details] www-misc/libmodsecurity/libmodsecurity-3.0.7.ebuild
Created attachment 790613 [details] www-misc/modsecurity/files/main.conf.example
Created attachment 790616 [details] www-misc/modsecurity-crs/modsecurity-crs-3.3.2.ebuild
Hi All, Let me know if I've missed any attachments that are required. Cheers, Graham.
Created attachment 791042 [details] www-servers/nginx/nginx-1.21.6-r2.ebuild Updated to new revision
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20163dcdde0d30f1d83f3d2cd08875be1a17a06a commit 20163dcdde0d30f1d83f3d2cd08875be1a17a06a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2022-07-14 17:41:01 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-07-19 17:20:43 +0000 www-servers/nginx: add modsecurity v3 support Closes: https://bugs.gentoo.org/726614 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 + www-servers/nginx/nginx-1.23.0-r1.ebuild | 1049 ++++++++++++++++++++++++++++++ 2 files changed, 1050 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10414bf03e312ad3f46e5639c270aaadf3eb181c commit 10414bf03e312ad3f46e5639c270aaadf3eb181c Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2022-07-14 12:38:43 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-07-19 17:20:42 +0000 dev-libs/modsecurity: new package Modsecurity is a library that can be used by Nginx: https://github.com/SpiderLabs/ModSecurity-nginx For Apache, Modsecurity 2.x is still recommended. Bug: https://bugs.gentoo.org/726614 Closes: https://bugs.gentoo.org/718358 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> dev-libs/modsecurity/Manifest | 1 + dev-libs/modsecurity/metadata.xml | 35 ++++++++++++ dev-libs/modsecurity/modsecurity-3.0.7.ebuild | 80 +++++++++++++++++++++++++++ 3 files changed, 116 insertions(+)